The Office of the Controller of Certifying Authorities (CCA) in India was established under the Information Technology Act, 2000 (IT Act 2000) to oversee and regulate the activities of Certifying Authorities (CAs) involved in issuing digital certificates. The CCA is a key component in the framework that supports the security and authenticity of electronic transactions and communications.  The Office of the Controller of Certifying Authority is a focal point on which the Information Technology Act, 2000 operates. It is statuary duty of the Controller to identify, apply and draw awareness regarding application of specific form to technology. However its main function is to issue licence to certifying authorities who in turn generates and issues. Digital/Electronic Signature Certificate (ESC) to the subscriber. In this article we shall discuss powers of Controller of Certifying Authorities under the Information Technology Act, 2000.

Under Section 17 of the Information Technology Act, 2000 the Central Government may appoint a Controller of Certifying Authorities after notifying in the Official Gazette. They may also appoint Deputy Controllers and Assistant Controllers as it deems fit. The Controller discharges his responsibilities subject to the general control and also directions of the Central Government. The Deputy Controllers and Assistant Controllers shall perform the functions assigned to them by the Controller under the general superintendence and also control of the Controller.

Powers of Controller of Certifying Authorities:

Powers of Controller of Certifying Authorities include:

• Power Relating to Licence [Section 21-26]
• Power to Delegate [Section 27]
• Power to Investigate Contraventions [Section 28]
• Power to access computers and data [Section 29]
• Power to give directions to Certifying Authorities [Section 68]
• Power to make regulations [Section 89]

Power Relating to Licence:

Licence to Issue Electronic Signature [section21]:

• Application for Licence to Issue Electronic Signature: According to Section 21(1) of the Information Technology Act, 2000 subject to the provisions of sub-section (2), any person may make an application to the controller for a licence to issue Electronic Signature certificates.
• Requirements for Application for Licence: According to Section 21(2) of the Information Technology Act, 2000 no licence shall be issued under sub-section (1), unless the applicant fulfils such requirement with respect to the qualification, expertise, manpower, financial resources and other infrastructure facilities, which are necessary to issue Electronic Signature Certificates as may be prescribed by the Central Government.
• Conditions Prescribed in Licence: According to Section 21(3) of the Information Technology Act, 2000 a licence granted under this section shall-

a) Be valid for such period as may be prescribed by the Central Government;

b) Not be transferable or heritable;

c) Be subject to such terms and conditions as may be specified by the regulations.

Thus, any person may approach the Controller for a licence to issue Electronic Signature Certificates, including Digital Signature Certificates. The said person is to submit an application under Rule 10 of the Information Technology (certifying Authorities) rules, 2000. Furthermore, regulation 3 of the Information Technology (Certifying Authority) Regulations, 2001 provides the terms and conditions of licence to issue Electronic Signature Certificates, including Digital Signature Certificates. Also as per Rule 13 and regulations 3 (i)(a) and (b) a licence is a valid for a period of five years from the date of its issue and the said licence is not transferable and heritable.

Application for Licence [section 22]:

Format of the Application for Issue of Licence:

According to Section 22(1) of the Information Technology Act, every application for issue of a licence shall be in such form as may be prescribed by the Central Government.

Documents Required with Application for Issue of Licence:

According to Section 22(2) of the Information Technology Act, every application for issue of a licence shall be accompanied by –

a) A certification practice statement.

b) A statement including the procedures with respect to identification of the applicant;

c) Payment of such fees, not exceeding twenty-five thousand rupees as may be prescribed by the Central Government.

d) Such other document, as may be prescribed by the Central Government.

Renewal of Licence [section 23]:

An application for renewal of licence shall be

a. In such form;

b. Accompanied by such fees, not exceeding five thousand rupees, as may be prescribed by the Central Government and shall be made not less than than forty-five days before the date of the expiry of the period of validity of the licence.

Procedure for Grant or Rejection of Licence [section 24]:

The controller may, on receipt of an application under sub-section (1) of section 21, after considering the documents accompanying the application and such other factors, as he deems fit, grant the licence or rejects the application:

Provided that no application shall be rejected under this section unless the applicant has been given a reasonable opportunity of presenting his case.

Suspension of Licence [section 25]

1. The controller may, if he is satisfied after making such inquiry, as he may think fit, that a certifying authority has-

a. Made a statement in, or in relation to, the application for the issue or renewal of licence, which is incorrect or false in material particulars;

b. Failed to comply with the terms and conditions subject to which the licence was granted;

c. Failed to maintain the procedures and standards specified I section 30.

d. Contravened any provision of this act, rule, regulation or order made there under;

Revoke the licence:

Provided that no licence shall be revoked unless the Certifying Authority has been given a reasonable opportunity of showing cause against the proposed revocation.

2. The Controller may, if he has reasonable cause to believe that there is any ground for revoking a licence under sub section (1), by order, suspend such licence pending the completion of any enquiry ordered by him:

Provided that no licence shall be suspended for a period exceeding ten days unless the certifying authority has been given a reasonable opportunity of showing cause against the proposed suspension.

3. No certifying authority whose licence has been suspended shall issue any certificate during such suspension.

Notice of Suspension or Revocation of Licence [section 26]:

1. Where the licence of the certifying authority is suspended or revoked, the Controller shall publish notice of such suspension or revocation, as the case may be, in the data base maintained.

2. Where one or more repositories are specified, the Controller shall publish notices of such suspension or revocation, as the case may be, in all such repositories:

Provided that the data base containing the notice of such suspension or revocation, as the case may be, shall be made available through a web site which shall be accessible round the clock;

Provided further that the Controller may, if he considers necessary, publicise the content of data base in such electronic or other media, as he may consider appropriate.

Power to Delegate [section 27]

The Controller may, in writing, authorise the Deputy Controller, Assistant Controller or any officer to exercise any of the powers of the Controller.

Power to Investigate Contraventions [section 28]

The Controller or any officer authorised by him in this behalf shall take up for the investigation any contravention of the provisions of this act, rules and regulation made thereunder.

Power of Controller to Give Directions (section 68)

(1) The Controller may, by order, direct a Certifying Authority or any employee of such Authority to take such measures or cease carrying on such activities as specified in the order if those are necessary to ensure compliance with the provisions of this Act, rules or any regulations made thereunder.

(2) Any person who intentionally or knowingly fails to comply with any order under sub-section (1) shall be guilty of an offence and shall be liable on conviction to imprisonment for a term not exceeding two years or a fine not exceeding one lakh rupees or with both.]

Power of Controller to Make Regulations (Section 89)

(1) The Controller may, after consultation with the Cyber Regulations Advisory Committee and with the previous approval of the Central Government, by notification in the Official Gazette, make regulations consistent with this Act and the rules made thereunder to carry out the purposes of this Act.

(2) In particular, and without prejudice to the generality of the foregoing power, such regulations may provide for all or any of the following matters, namely:–

(a) the particulars relating to maintenance of data base containing the disclosure record of every Certifying Authority under clause 1 [(n)] of section 18;

(b) the conditions and restrictions subject to which the Controller may recognise any foreign Certifying Authority under sub-section (1) of section 19;

(c) the terms and conditions subject to which a licence may be granted under clause (c) of sub-section (3) of section 21;

(d) other standards to be observed by a Certifying Authority under clause (d) of section 30;

(e) the manner in which the Certifying Authority shall disclose the matters specified in sub-section (1) of section 34;

(f) the particulars of statement which shall accompany an application under sub-section (3) of section 35.

(g) the manner by which the subscriber shall communicate the compromise of private key to the Certifying Authority under sub-section (2) of section 42.

(3) Every regulation made under this Act shall be laid, as soon as may be after it is made, before each House of Parliament, while it is in session, for a total period of thirty days which may be comprised in one session or in two or more successive sessions, and if, before the expiry of the session immediately following the session or the successive sessions aforesaid, both Houses agree in making any modification in the regulation or both Houses agree that the regulation should not be made, the regulation shall thereafter have effect only in such modified form or be of no effect, as the case may be; so, however, that any such modification or annulment shall be without prejudice to the validity of anything previously done under that regulation.

Conclusion:

The powers of a Controller of Certifying Authorities (CCA) typically revolve around overseeing the certification process within a public key infrastructure (PKI) and ensuring the security and integrity of digital certificates. The CCA has the authority to set standards and regulations for certifying authorities (CAs). This includes ensuring that CAs follow best practices for issuing and managing digital certificates. The CCA is responsible for licensing and accrediting CAs. This process ensures that only qualified entities are authorized to issue digital certificates. The CCA monitors and audits CAs to ensure compliance with relevant regulations and standards. This includes regular inspections and assessments of CA operations. The CCA has the power to take corrective actions against CAs that fail to comply with regulations. This can include revoking certificates, suspending licenses, or imposing fines. The CCA provides guidance and support to CAs on regulatory requirements and best practices. This helps in maintaining the overall security and trustworthiness of the digital certification ecosystem. CCA may be involved in resolving disputes between CAs and their customers or between different CAs, ensuring fair and transparent processes.

From the powers of Controller of Certifying Authorities, we can conclude that the CCA plays a crucial role in maintaining the integrity and security of digital communication by overseeing the certification process and ensuring that CAs operate within established standards and regulations.