Beruflich Dokumente
Kultur Dokumente
As per Section 18 of The Information Technology Act, 2000 provides the required
legal sanctity to the digital signatures based on asymmetric cryptosystems. The
digital signatures are now accepted at par with handwritten signatures and the
electronic documents that have been digitally signed are treated at par with paper
documents.
The IT Act provides for the Controller of Certifying Authorities(CCA) to license
and regulate the working of Certifying Authorities. The Certifying Authorities
(CAs) issue digital signature certificates for electronic authentication of users.
The Controller of Certifying Authorities (CCA) has been appointed by the Central
Government under section 17 of the Act for purposes of the IT Act. The Office of
the CCA came into existence on November 1, 2000. It aims at promoting the
growth of E-Commerce and E- Governance through the wide use of digital
signatures.
The Controller of Certifying Authorities (CCA) has established the Root Certifying
Authority (RCAI) of India under section 18(b) of the IT Act to digitally sign the
public keys of Certifying Authorities (CA) in the country. The RCAI is operated as
per the standards laid down under the Act.
The CCA certifies the public keys of CAs using its own private key, which enables
users in the cyberspace to verify that a given certificate is issued by a licensed CA.
For this purpose it operates, the Root Certifying Authority of India(RCAI). The
CCA also maintains the Repository of Digital Certificates, which contains all the
certificates issued to the CAs in the country.
The Controller of Certifying Authorities (CCA) has established the Root Certifying
Authority of India (RCAI) under section 18(b) of the IT Act to digitally sign the
public keys of Certifying Authorities (CA) in the country. The RCAI is operated as
per the standards laid down under the IT Act.
The CCA certifies the public keys of CAs using its own private key, which enables
users in cyberspace to verify that a given certificate is issued by a licensed CA. For
this purpose it operates the RCAI. The CCA also maintains the Repository of
Digital Certificates, which contains all the certificates issued to the CAs in the
country.
PAKISTAN
The ministry of Information Technology, in line with the National IT Policy and
the Electronic Transaction Ordinance, 2002 setup an Accreditation Council for
Certificate Authorities (CAs) in 2002. The council acts as a regulating authority for
all the Certifying Authority in Pakistan. Also, before this ordinance in 2002 there
was only one Certifying Authority, NIFT National ICT and R&D Fund. After this
ordinance, many C.A. were formed. At present there are in total 13 Certifying
Authority, Namely:1
2
3
4
5
6
7
8
9
rules and methods under which CAs will function. It will establish databases of
disclosure issued by Certifying Authorities and perform all other functions in
order to ascertain the system of Public Key Infrastructure work properly.7The
Controller has authority to recognize foreign CAs by following rules
established under the Act.8 It will act as repository of all Certificates issued.
Certifying Authorities are generally private entities. They have to obtain
license and must comply with strict requirements set by law.
The Controller issues such silences after scrutinizing application for silences.
The license is subject to suspension and revocation. The application should
accompany a certificate practice statement, a statement including the
procedures with respect to identification of the applicant, requisite fees and
other documents.9
U.S.A
The ESIGN Act, signed by President Bill Clinton on June 30, 2000, granted
electronic signatures the same legal status as handwritten signatures throughout
the United States. Electronic signatures greatly simplify the way companies
gather, track and manage signatures and approvals.
The terms issuing authority or certificate issuer are sometimes used to refer to
what these Guidelines call a certification authority. The two terms are closely
synonymous10.
Certification authority:- A person who issues a certificate11.
Quality assurance should be a principal concern in selecting and utilizing
certification authorities. Governmental regulation, professional accreditation,
7 Section 18 and 19 of Information Technology Law , 2006.
8 Id. Section 20
9 Id. Sections 22 to 26
10 https://acrobat.adobe.com/content/dam/doccloud/en/pdfs/dc_esignatures_us_overview_ue.pdf
11 Information Security Committee Electronic Commerce and Information
Technology Division Section of Science and Technology American Bar Association 8
1995, 1996 American Bar Association.
trade usage, auditing, and liability for negligent errors and omissions are
examples of approaches toward assuring quality in certification authority
practice.
Subject to applicable law, any person who undertakes the functions of a
certification authority under these Guidelines may become a certification
authority. The level of authority and reliance to be accorded to the certificates
of the certification authority will be determined in part by the experience and
reputation of the certification authority, and in part from the material presented
in the certification practice statement. Those who seek a low level of
responsibility to protect transactions of minor value or limited risk may accept
a certificate of lower level assurance from a certification authority of unknown
reputation. Those who seek the highest level of responsibility to protect
transactions of high value and severe risk will obtain certificates providing the
highest level of assurance, from certification authorities whose experience has
earned them the highest respect.12
A notaire or CyberNotaryK may be a certification authority, and serving as a
certification authority may well be a natural. CyberNotariesK are attorneys at
law admitted to practice in the United States and qualified to act as a
CyberNotaryK pursuant to specialization rules currently under development in
the CyberNotaryK Committee, Section of Science and Technology of the
American Bar Association. A CyberNotaryK function mirrors that of a notaire,
and is focused primarily on practice in international, computer-based
transactions. Under the planned specialization rules, a CyberNotaryK would
possess technical expertise to facilitate computer-based transactions requiring a
high level of certification, authentication, or other information security
services. It is proposed that a CyberNotaryK would be required to meet a level
of qualification as a legal professional commensurate with that of a notaire, be
a member in good standing of the bar of a state or territory of the United
States, the District of Columbia, or Puerto Rico, be a member of the American
Bar Association, and demonstrate technical competence in computer-based
business transactions. For further information, contact the CyberNotaryK
Committee, Section of Science and Technology, of the American Bar
Association.
12Sec-1.7; Information Security Committee, Section of Science & Technology,
American Bar Association.
Thawte
Thawte is a leading global Certification Authority. Our SSL and code signing
digital certificates are used globally to secure servers, provide data encryption,
authenticate users, protect privacy and assure online identifies through stringent
authentication and verification processes. Our SSL certificates include Wildcard
SSL Certificates, SAN /UC Certificates, SGC SuperCerts and Extended Validation
SSL Certificates.
Entrust
SSL Server Certificates
SSL (Secure Sockets Layer) is a cryptographic protocol that establishes a secure
connection between a client application and a server on the Internet or other
network. An SSL certificate (or digital certificate) indicates that an encryption
algorithm is being used to ensure that only intended parties are the recipient of a
data transmission. For this reason, SSL certificates or Transport Layer Security
(TLS) certificates are one of the hallmarks of a solid e-commerce foundation and
the de facto industry standard for protecting information from unauthorized access.
In short, SSL certificates help build customer trust and website reputation by
safeguarding Internet transactions.
Verisign
VeriSign Authentication Services, now part of Symantec Corp. (NASDAQ:
SYMC), provides solutions that allow companies and consumers to engage in
communications and commerce online with confidence. VeriSign Authentication
Services include SSL, SSL Certificates, Extended Validation (EV SSL), VeriSign
Trust Seal, two-factor authentication, identity protection, malware scan, code
signing and public key infrastructure (PKI). Symantec products include Norton
antivirus software, Norton internet security solutions for small business, and PC
Tools.
Globalsign
GlobalSign Inc offers online security services and has been operating a trusted
Root Certificate Authority since 1996. GlobalSign Digital Certificates are trusted
by all popular Browsers, Operating Systems, Mobile Devices and Applications and
include SSL Server Certificates, Extended Validation SSL, Code Signing, Adobe
CDS, Email & Authentication Digital IDs, Enterprise PKI and Certificate
Authority root signing for Microsoft Certificate Services / Enterprise CA.
MALAYSIA
In a public-key infrastructure scheme, Certification Authorities play a very
prominent role. As trusted third parties, Certification Authorities certifies and
identifies users electronically by issuing electronic identification certificates.
For a digital signature to enjoy legal status, it must be certified by a
Certification Authority. In Malaysia, licensing of Certification Authority is
mandatory.13 At the moment, DigiCert is the only licensed Certification
Authority in Malaysia. This approach is adopted so that there is uniformity in
the certification industry, and that regulation of digital signatures can be done
more effectively. (Annamalai; 1997) although (Alkeniz; 1997) argued that
licensing TTP, instead of increasing security, will in fact make electronic
commerce less secure. Therefore, in Malaysia, a digital signature is legally
valid only if it is certified by a licensed Certification Authority. In fact, it is an
offence to carry on or operate, or hold out as Certification Authority, unless
that person holds a valid licensed under the Act. Upon conviction, it may be
liable to a fine not exceeding five hundred thousand ringgit or to imprisonment
for a term not exceeding ten years or both.14 Although in Malaysia, licensing of
Certification Authority is mandatory, this does not mean that a certificate
issued by an unlicensed Certification Authority is invalid. In fact, the Act
specifically provides that the licensing requirements under the Act shall not
affect the effectiveness, enforceability and validity of any digital signatures.15
The Act further provides that the liability limits for certification authorities and
13 s. 4(1) OF DIGITAL SIGNATURE ACT,1997
14 s. 4(2) DIGITAL SIGNATURE ACT,1997
15SEC-13(2 ,) DIGITAL SIGNATURE ACT,1997
the effect of digital signatures, as provided for under the Act, shall not apply to
unlicensed Certification Authorities. Therefore, if an unlicensed Certification
Authority is used, the validity of the digital signatures would be governed by a
contract between the contracting parties, instead of the Malaysia DSA. The
Singapore ETA adopts a different approach. Licensing under the Singapore
ETA is voluntary so that closed network may use their unlicensed Certification
Authority. (Ter; 1999) But, It is not correct to assume that Unlicensed
Certification Authority is not regulated. (Seng; 1999) They would still have to
abide with other relevant provision of the Singapore ETA, such as the duties of
certification authorities. In Singapore, digital certificates are recognised if there
are issued by three bodies; licensed Certification Authorities, foreign
Certification Authorities recognised by the Controller of Certification
Authority16, Government Department or Ministries approved by the Minister
and the parties may expressly agree between themselves to use digital
signature which is property verified by reference to the sender's public key.17
RUSSIA
Certification of e-signature technology is a lengthy process in Russia and may
require, among other things, decompiling the certifiable software. In the
meantime, users often run foreign-made e-signature technology, the
certification of which is impracticable economically or organizationally. It
should therefore be admitted that the statutorily required certification of esignature technology substantially limits user options offered to electronic
document flow agents, and is a serious obstacle to wider use of e-signatures in
Russian business practice.
At present, the authorized government body is the Federal Agency for
Information Technology (FAIT) operating within the Russian Federation
Ministry for Information Technology and Telecommunications.18 FAIT
16 s. 43 , Electronic Transaction Act
17 s. 20(b)(iv) ELECTRONIC TRANSACTION ACT
18 Resolution No. 319 of the Russian Federation Government On Approval of the Regulations
of the Federal Agency for Information Technology of June 30, 2004. The web site of FAIT in
Russian is located at http://www.minsvyaz.ru/site.shtml?id=2873. Information in English is only
available in regard to the Ministry itself http://english.minsvyaz.ru/enter.shtml.
19 The obligation to provide such liability is established for the European countries, for
example, by Directive 1999/93/EC of the European Parliament and of the Council of 13
December 1999 on a Community framework for electronic signatures Official Journal L 013,
19/01/2000 p. 0012 0020 available in electronic format at
http://www.ict.etsi.org/EESSI/Documents/e-sign-directive.pdf.
20 Article 11 of the E-Signature Law.
CONCLUSION
A certificate authority (CA) is a trusted entity that issues electronic
documents that verify a digital entitys identity on the Internet. The
electronic documents, which are called digital certificates, are an
essential part of secure communication and play an important part in
the public key infrastructure (PKI). Certificates typically include the
owner's public key, the expiration date of the certificate, the owner's
name and other information about the public key owner. Operating
systems (OSes) and browsers maintain lists of trusted CA root
certificates to verify certificates that a CA has issued and signed.
In cryptography, a certificate authority or certification authority (CA)
is an entity that issues digital certificates. A digital certificate
certifies the ownership of a public key by the named subject of the
certificate. This allows others (relying parties) to rely upon
signatures or on assertions made about the private key that
corresponds to the certified public key. In this model of trust
relationships, a CA is a trusted third partytrusted both by the
subject (owner) of the certificate and by the party relying upon the
certificate. The most commonly encountered public-key
infrastructure (PKI) schemes are those used to implement https on
the world-wide web.
BIBLIOGRAPHY
REFRENCES:-
http://archive.mu.ac.in/myweb_test/SYBA%20Study
%20Material.pdf
http://www.academia.edu
www.researchgates.net
www.wikieducator.com
BOOKS:-
CONTENTS
INTRODUCTION
WHO IS THE CONTROLLER OF CERTIFYING
AUTHORITIES
POWER AND FUNCTIONS OF CERTIFYING
AUTHORITIES
IN REFERENCE TO:
PAKISTAN
BANGLADESH
U.S.A
MALAYSIA
RUSSIA
CONCLUSION
BIBLIOGRAPHY