What are Certifying Authority and their legal standing?

Certifying Authority (CA) is a third-party organization that issues an electronic document also called a digital certificate to validate the authenticity of any domain or website or any other digital entity.[i] They can also revoke or suspend the digital certificate, whenever you see a red color box appear in an address bar of your browser saying "NOT SECURE" it means that either the website certificate is got revoked or got suspended. [ii]

Section 17 of the Information Technology Act 2000 talk about the Controller of Certifying Authority (CCA) which will grant the license to the CA under Section 24 of the Information Technology Act 2000, so they can issue the digital certificates. For this purpose, CCA created a Root Certifying Authority under Section 18(B) of the Information Technology Act to digitally sign the private key of the CA.[iii]

Foreign Certifying Authorities (FCA) are the authorities other than which were granted a license under Section 24 of the Information Technology Act 2000, by the CCA, and their whole operation and infrastructure to provide the facilities of the digital signature certificate are located outside of India. They are recognized by CCA under Section 19(1) of the IT Act 2000.

What type of digital signature certificates are issued in India?

According to the guidelines published by the CCA of India per the IT Rule 2000 and X.509 certificate policy, there are three classes of certificate:

• Class-1- It is provided to both private individuals and business personnel. It is a basic level certificate provided when the data is of low-risk value.
• Class 2- It is also provided to both private individuals and business personnel. It is a moderate level certificate provided where the data is of moderate value and the risk of a data breach is also moderate. Provided to entities involved in monetary activities.
• Class 3- It is too provided to private individuals and organizations. It is a high-level certificate mostly given to E-commerce companies where the high-value transactions are involved and the possibility of a data breach is high. To get this certificate individual must be present physically before certifying authority. [iv]

Classification of FCA:

They are classified into two categories

• Foreign Certifying Authorities (FCA) operating under any Regulatory Authority other than the Indian Regulatory Authority.[v]
• Foreign Certifying Authorities (FCA) not operating under any Regulatory Authority- As the name suggest they won't operate under any Regulatory Authority but they are recognized by the Controller of Certifying Authority India.[vi]

Procedure for recognition:

Foreign Certifying Authority (FCA) (Operate under a Regulatory Authority):

• FCA should have been authorized to issue a digital certificate by the regulatory authority other than any Indian regulatory authority whose credibility should be at par with the norms of the Indian regulatory authority and the credibility will be measured on the following factors:
  
  1. financial and human resources, including the existence of assets within the country.
  2. trustworthiness of hardware and software systems.
  3. procedures for the processing of certificates and applications for certificates and retention of records.
  4. availability of information to subscribers identified in certificates and to potential relying parties.
  5. regularity and extent of an audit by an independent body.
• Such regulatory authorities should recognize the Indian CA's and Indian regulatory authorities licensed under IT Act, 2000.
   
• CCA should enter into a memorandum of understanding with these regulating authorities which will be valid for five years. Then the CCA with the permission of the central government published the list of the recognized authorities in the official gazette.

Foreign Certifying Authority (FCA) (doesn't operate under any Regulatory Authority):

Every applicant has to apply as prescribed by the CCA along with the following:

• The Certification Practice Statement (CPS).
  CPS- It is a statement that is issued by the CA and is approved by the CCA to confirm the practice provided by the CA in issuing the Digital Certificate.
• An undertaking by the applicant that he will comply with the requirement of the CPS.
• Statement for the verification of the applicant.
• Statement for the purpose and scope of the Digital Certificate Signature technology, its management, and the part of an operation to be outsourced.
• Certified copy of business registration documents and the license for the issuing of the digital signature certificate.
• Information regarding any incident especially past or present insolvency which would affect the capability of the applicant to act as the recognized foreign certifying authority.
• A performance bond and the banker's guaranty of not less than one crore US Dollars from any scheduled bank of India in a way as prescribed by the controller. It will remain valid for six years from the date of submission.
• The banker's guaranty and the performance bond can be invoked by the controller in case of the violation of any section of the IT Act or any other law which are in force. Invocation of the guaranty doesn't affect any penalty imposed for the violation of the law of the land.

Following are the reason to invoke the guaranty:

1. When the controller has suspended the recognition of the FCA for the reasons which are mentioned later in this article.
2. For the payment of compensation which is imposed by the controller.
3. For the payment of the liabilities and rectification caused due to the negligence of the FCA or its employees or officers.
4. For the payment of the cost incurred by the controller for the discontinuation or Transfer of Operation (according to clause (47) of section 2 of the Income-tax Act, 1961) of the FCA in case of the discontinuation of the services or operation of the FCA in its home country.
5. For the payment of the cost incurred by the controller (In case it is not incurred by the concerned by FCA) for the inspection of the infrastructure utilized by the FCA for generation, issue, and management of Digital Signature Certificates.
6. For the settlement of the default on payment by the FCA under the provisions of the IT Act and The Information Technology (Recognition of Foreign Certifying Authorities Not Operating under any Regulatory Authority) Regulations, 2013.

• Details of the local office setup in India.
• The audit report of the facility and the infrastructure installed by the applicant for the functions of generation, issue, and management of digital signature certificate as per the standard mentioned in the IT Act,2000 and such audit report should contain:
  
  1. security policy and planning;
  2. physical security;
  3. technology evaluation;
  4. services administration;
  5. relevant Certification Practice Statement;
  6. compliance to relevant Certification Practice Statement;
  7. contracts or agreements;
  8. regulations prescribed by the Controller;
  9. policy requirements of Certifying Authorities Rules, 2000.

FCA should conduct a half-yearly audit of the Security Policy, physical security, and planning of its operation. And the audit reports should be submitted to the controller within the period of four weeks and if irregularities are found in audit reports they should be dealt with by the FCA immediately.

And also, a statement is attached with the Audit report which mentioned that the audit is done according to the standard mentioned in the IT Act,2000.

• Nonrefundable fees of Twenty-Five Thousand US Dollars are payable by a bank draft or by a pay order drawn in the name of the Controller. Fees are non-refundable even if the recognition is revoked or suspended during the validity period.

Other specified procedures and guidelines for the FCA (doesn't operate under any Regulatory Authority):

• The controller has to within the four weeks after receiving the application grant, renew or reject the application (has to give a reason for the rejection).
   
• A controller can take extra four weeks to decide on the application but it should not exceed eight weeks in total. (Reason for the extension should be specified in writing.)
   
• If the application is approved by the controller, then the applicant has to furnish the performance bond and the bank guarantee within one month from the date of approval. And also execute a contract with the controller to bind himself to comply with the terms and conditions of the recognition.
   
• Any Foreign Certifying Authority recognized under this regulation shall have the sole responsibility of integrity, confidentiality, and protection of information and information assets employed in its operation, considering classification, declassification, labeling, storage, access, and destruction of information assets according to their value, sensitivity, and importance of the operation.
   
• Information Technology Security Guidelines and Security Guidelines for a Foreign Certifying Authority recognized under this regulation aimed at protecting its integrity, confidentiality, and availability of service shall be of a level equivalent to that of a Certifying Authority licensed under the Act as specified under Schedule-II and Schedule-III of the Information Technology (Certifying Authority) Rules 2000 respectively.
   
• FCA should devise its information technology and security policy that comply with the guidelines of the IT Act, 2000. And any changes in the policy should be submitted to the controller within a period of two weeks.
   
• Controller whenever deemed fit can ask for the physical examination of the facilities and infrastructure associated with all functions of generation, issue, and management of digital signature certificate belonging to an FCA. Cost and expense of which should be bearded by the FCA.

Who can issue the Digital Certificate?

They both can issue Digital certificates to anyone who fulfills the conditions provided in the law except the Indian citizens residing in India. Indian national means any company, firm, an association of persons, the body of individuals, or a local authority whose registered office or principal place of business is located in India.

Validity of Recognition and certificate issued by them before recognition:

Recognition for both of them is valid for a term of five years from a period it was granted and this recognition is not transferable. The certificate issued by them before the recognition under the Indian laws is considered invalid.

Suspension or Revocation of Recognition:

Foreign Certifying Authority (FCA) (Operate under a Regulatory Authority):

Recognition will be revoked if the authorization given to the FCA by the appropriate regulatory authority to issue the digital certificate is revoked.

Foreign Certifying Authority (FCA) (doesn't operate under any Regulatory Authority):

• Recognition is suspended when the banker's guarantee furnished by the FCA is invoked by the CCA
• Recognition is suspended if after the inquiry CCA found that the FCA in his application for renewal or issuing of recognition furnishes a false or incorrect material particular.
• It is suspended if FCA failed to comply with the term and conditions of the Recognition.
• If fails to maintain procedure and standard specified by the CCA.
• It can be revoked for the violation of any provision of the IT Act,2000, or any other rule of land prevailing at that time.
• No revocation can be suspended or revoked until the Recognised FCA gave the reasonable opportunity to justify their action.

Renewal of Recognition:

Foreign Certifying Authority (FCA) (Operate under a Regulatory Authority):

• Recognized FCA should submit the renewal application within the period of Forty-five days before the expiry of their term of recognition.
• The renewal application should be submitted in form of an electronic record as per the requirement of the controller.

Foreign Certifying Authority (FCA) (doesn't operate under any Regulatory Authority):

• Recognized FCA should submit the renewal application within the period of Forty-five days before the expiry of their term of recognition.
• The renewal application should be submitted in form of an electronic record as per the requirement of the controller.
• If the application or renewal is accepted by the CCA then the FCA should furnish the performance bond and the bank guarantee within one month from the date of approval. And also execute a contract with the controller to bind himself to comply with the terms and conditions of the recognition.

Refusal of Recognition:

The controller can refuse to grant or renew the recognition to both of them if:

• The applicant has not provided the information which was asked by the controller related to his business or any other circumstances which may affect the conduction of business.
• The applicant is about to be bankrupt.
• A receiver has, or a receiver and manager have been appointed by the court in respect of the applicant.
• The applicant or the trusted person has been convicted in India or outside India in case of fraud or dishonesty or the violation of the provision of the IT Act.
• The applicant is failing to observe, or in breach or fail in complying with the CPS or the direction of the controller.

Procedure to follow by FCA before concluding Recognition:

Before giving up their recognition both of them shall:

• Give ninety-day notice to CCA before withdrawing their recognition or ninety days before the expiry of recognition
• Advertise in newspapers about their intentions of ceasing the recognition sixty-day before the ceasing or expiry of recognition as directed by the CCA.
• Notify their current subscriber about their intentions of revoking their recognition by sixty days prior notice.
• the notice shall be sent to the Controller, affected subscribers, and Cross Certifying Authorities by digitally signed e-mail and registered post.
• Revoke the subscription of the subscriber who requested the revocation within the ninety-day notice period.
• Make ensure that their subscriber and the persons duly needing to verify digital signatures by reference to the public keys contained in outstanding Digital Signature Certificates have minimal disruption because they cease recognition.
• make reasonable arrangements for preserving the records for a period of seven years.
• Pay reasonable compensation to the subscribers for revoking the digital signature certificate before the date of expiry. But the value of compensation should not exceed the actual cost of obtaining a digital signature certificate.

End-Notes:

1. Microsoft Support, Obtain a digital certificate and create a digital signature, https://support.microsoft.com/en-us/office/obtain-a-digital-certificate-and-create-a-digital-signature-e3d9d813-3305-4164-a820-2e063d86e512 (Last Visited Jan. 17, 2022, 12.40 PM (N.T.M))
2. GoDaddy, Not Secure warning: What does it mean when a site is not secure? https://www.godaddy.com/garage/not-secure-warning-what-happened/
   (Last Visited Jan. 17, 2022, 12.40 PM (N.T.M))
3. Controller of Certifying Authority, About CCA, https://cca.gov.in/about.html (Last Visited Jan. 17, 2022, 12.40 PM (N.T.M))
4. Emudhra, Class of Certificates, https://www.e-mudhra.com/Class-of-certificates.html (Last Visited Jan. 17, 2022, 12.40 PM (N.T.M))
5. Information Technology (Recognition of Foreign Certifying Authorities Operating Under Regulatory Authority) Regulation 2013, No. 21 (India).
6. The Information Technology (Recognition of Foreign Certifying Authorities Not Operating under any Regulatory Authority) Regulations, 2013, No. 21 (India).