The Office of the Controller of Certifying Authorities (CCA) in India was established under the Information Technology Act, 2000 (IT Act 2000) to oversee and regulate the activities of Certifying Authorities (CAs) involved in issuing digital certificates. The CCA is a key component in the framework that supports the security and authenticity of electronic transactions and communications. The Office of the Controller of Certifying Authority is a focal point on which the Information Technology Act, 2000 operates. It is statuary duty of the Controller to identify, apply and draw awareness regarding application of specific form to technology. However its main function is to issue licence to certifying authorities who in turn generates and issues. Digital/Electronic Signature Certificate (ESC) to the subscriber.
Appointment of Controller and Other Officers:
Section 17 of the Information Technology Act, 2000 gives provisions related to the office of Controller of Certifying Authorities.
- The Central Government may appoint a Controller of Certifying Authorities after notifying in the Official Gazette. They may also appoint Deputy Controllers and Assistant Controllers as it deems fit.
- The Controller discharges his responsibilities subject to the general control and also directions of the Central Government
- The Deputy Controllers and Assistant Controllers shall perform the functions assigned to them by the Controller under the general superintendence and also control of the Controller.
- The qualifications, experience and terms and conditions of service of Controller, Deputy Controllers, and Assistant Controllers shall be such as may be prescribed by the Central Government.
- The Head Office and Branch Office of the office of the Controller shall be at such places as the Central Government may specify, and these may be established at such places as the Central Government may think fit.
- There shall be a seal of the Office of the Controller.
The Organizational Structure of Controller of Certifying Authorities
Functions of Controller (Section 18):
Since 2000, the office of Controller of Certifying authorities has 3 broad functions:
- Technology
- Finance and Legal
- Investigation
Each department has a Deputy controller and an Assistant Controller.
1. To act as regulator of certifying authorities (CA)
- Exercising supervision over the activities of the Certifying Authorities
- Certifying public keys of the Certifying Authorities
- Laying down the standards to be maintained by the Certifying Authorities
- Specifying the qualifications and experience which employees of the Certifying Authorities should possess
- Specifying the conditions subject to which the Certifying Authorities shall conduct their business
- Specifying the form and manner in which accounts shall be maintained by the Certifying Authorities
- Specifying the terms and conditions subject to which auditors may be appointed and the remuneration to be paid to them
- Facilitating the establishment of any electronic system by a Certifying Authority either solely or jointly with other Certifying Authorities and regulation of such systems
- Specifying the manner in which the Certifying Authorities shall conduct their dealings with the subscribers
- Resolving any conflict of interests between the Certifying Authorities and the subscribers
- Laying down the duties of the Certifying Authorities
- Maintaining a data-base containing the disclosure record of every Certifying Authority containing such particulars as may be specified by regulations, which shall be accessible to public.
2. To recognize the foreign certifying authority
- Controller can recognize any foreign certifying authority.
3. To grant licence to CAโs
- So, that CAโs can issue Electronic Signature Certificate such as DSC (Digital Signature Certificate) to subscribers.
4. CCA can suspend the license of CA
- If CA fails to maintain acceptable standards
- If CA fails to follow terms and conditions
- If CA contravenes any provisions of IT Act
- If CA makes any false statement in relation to the issue or renewal of license issued by CCA
Powers of CCA:
The CCAs have following powers;
- Power Relating to Licence [Section 21-26]
- Power to Delegate [Section 27]
- Power to Investigate Contraventions [Section 28]
- Power to access computers and data [Section 29]
- Power to give directions to Certifying Authorities [Section 68]
- Power to make regulations [Section 89]
Rules Regarding Issue of Licence by CCA to CA
1. Application for licence & Submission of application
Application form needs to be filled as may be prescribed. And same needs to be submitted to the relevant authorities with the payment of non-refundable fee, Rs. 25,000 along with the required statements.
2. Validity of licence
A licence shall be valid for a period of 5 years from the date of issue and its non-transferrable.
3. Issuance of licence
If controller is satisfied that all the conditions and qualifications are met then CCA issues a licence to CA.
CCA can also reject the application if applicant fails to present his case to CCA in case required.
4. Renewal of licence
A non-refundable fee of Rs. 25,000 along with the relevant application as may be prescribed by the Central Government need to be submitted not less than 45 days before the expiry of the period of validity of licence.
5. Suspension of licence
CCA can suspend the license of CA ร If CA fails to maintain acceptable standards
- If CA fails to follow terms and conditions
- If CA contravenes any provisions of IT Act
- If CA makes any false statement in relation to the issue or renewal of license issued by CCA
No CA whose licence has been suspended shall issue any ESC (Electronic Signature Certificate i.e Digital Signature Certificate) during such suspension.
Conclusion:
The Controller of Certifying Authorities (CCA) under the Information Technology Act, 2000 (IT Act 2000) in India plays a crucial role in regulating and overseeing the functioning of Certifying Authorities (CAs) that issue digital certificates. The CCA is responsible for overseeing the operations of Certifying Authorities, ensuring they comply with the legal and regulatory framework established under the IT Act 2000. This includes licensing CAs, monitoring their performance, and ensuring adherence to prescribed standards. The CCA sets the standards and guidelines for the issuance and management of digital certificates, thereby maintaining the integrity and trustworthiness of digital transactions.
By regulating CAs, the CCA helps establish a robust trust framework for digital signatures and electronic transactions. This framework is essential for ensuring the security and authenticity of digital communications in e-commerce and other online activities. The CCA ensures that CAs implement necessary security measures and follow best practices to protect against fraud and unauthorized access. The CCA plays a key role in enforcing the provisions of the IT Act 2000 related to digital signatures and certificates. This includes addressing issues of non-compliance and taking necessary actions to uphold the legal standards. By providing regulatory support and maintaining a clear legal framework, the CCA helps facilitate the adoption of digital signatures and electronic transactions, supporting the growth of the digital economy. The CCA’s oversight ensures that consumers and businesses can trust the digital certificates issued by CAs, thus enhancing confidence in electronic transactions and reducing the risk of digital fraud. The CCA is responsible for adapting regulatory practices to keep pace with technological advancements and emerging trends in cyber security, ensuring that the regulatory framework remains relevant and effective.
In conclusion, the Controller of Certifying Authorities under the IT Act 2000 plays a vital role in ensuring the reliability and security of digital certificates and electronic signatures in India. Through its regulatory and oversight functions, the CCA helps build trust in digital transactions, supports the growth of e-commerce, and contributes to the overall cybersecurity framework of the country.