INTRODUCTION

As per Section 18 of The Information Technology Act, 2000 provides the required
legal sanctity to the digital signatures based on asymmetric cryptosystems. The
digital signatures are now accepted at par with handwritten signatures and the
electronic documents that have been digitally signed are treated at par with paper
documents.
The IT Act provides for the Controller of Certifying Authorities(CCA) to license
and regulate the working of Certifying Authorities. The Certifying Authorities
(CAs) issue digital signature certificates for electronic authentication of users.
The Controller of Certifying Authorities (CCA) has been appointed by the Central
Government under section 17 of the Act for purposes of the IT Act. The Office of
the CCA came into existence on November 1, 2000. It aims at promoting the
growth of E-Commerce and E- Governance through the wide use of digital
signatures.
The Controller of Certifying Authorities (CCA) has established the Root Certifying
Authority (RCAI) of India under section 18(b) of the IT Act to digitally sign the
public keys of Certifying Authorities (CA) in the country. The RCAI is operated as
per the standards laid down under the Act.
The CCA certifies the public keys of CAs using its own private key, which enables
users in the cyberspace to verify that a given certificate is issued by a licensed CA.
For this purpose it operates, the Root Certifying Authority of India(RCAI). The
CCA also maintains the Repository of Digital Certificates, which contains all the
certificates issued to the CAs in the country.

WHO IS THE CONTROLLER OF CERTIFYING AUTHORITIES??

Section-17:- Appointment of Controller and other officers.
(1) The Central Government may, by notification in the Official Gazette, appoint a
Controller of Certifying Authorities for the purposes of this Act and may also by
the same or subsequent notification appoint such number of Deputy Controllers
and Assistant Controllers as it deems fit.
(2) The Controller shall discharge his functions under this Act subject to the
general control and directions of the Central Government.
(3) The Deputy Controllers and Assistant Controllers shall perform the functions
assigned to them by the Controller under the general superintendence and control
of the Controller.
(4) The qualifications, experience and terms and conditions of service of
Controller, Deputy Controllers and Assistant Controllers shall be such as may be
prescribed by the Central Government.
(5) The Head Office and Branch Office of the office of the Controller shall be at
such places as the Central Government may specify, and these may be established
at such places as the Central Government may think fit.
(6) There shall be a seal of the Office of the Controller.1
The Information Technology Act 2000 (IT Act) provides for the Controller of
Certifying Authorities (CCA) to license and regulate the working of Certifying
Authorities. The Certifying Authorities (CAs) issue digital signature certificates for
electronic authentication of users.
The Controller of Certifying Authorities (CCA) is appointed by the Indian Central
Government under section 17 of the Act for purposes of the IT Act. The Office of
the CCA came into existence on November 1, 2000. It aims at promoting the
growth of E-commerce and E-governance through the wide use of digital
signatures.

1 THE INFORMATION TECHNOLOGY ACT, 2000; sec-17

The Controller of Certifying Authorities (CCA) has established the Root Certifying
Authority of India (RCAI) under section 18(b) of the IT Act to digitally sign the
public keys of Certifying Authorities (CA) in the country. The RCAI is operated as
per the standards laid down under the IT Act.
The CCA certifies the public keys of CAs using its own private key, which enables
users in cyberspace to verify that a given certificate is issued by a licensed CA. For
this purpose it operates the RCAI. The CCA also maintains the Repository of
Digital Certificates, which contains all the certificates issued to the CAs in the
country.

POWER AND FUNTIONS OF THE CONTROLLER OF CERTIFYING

AUTHORITY:
The Controller may perform all or any of the following functions, namely:
(a) exercising supervision over the activities of the Certifying Authorities; (b)
certifying public keys of the Certifying Authorities; (c) laying down the
standards to be maintained by the Certifying Authorities; (d) specifying the
qualifications and experience which employees of the Certifying Authorities
should possess; (e) specifying the conditions subject to which the Certifying
Authorities shall conduct their business; (f) specifying the contents of written,
printed or visual materials and advertisements that may be distributed or used
in respect of a Digital Signature Certificate and the public key; (g) specifying
the form and content of a Digital Signature Certificate and the key, (h)
specifying the form and manner in which accounts shall be maintained by the
Certifying Authorities; (i) specifying the terms and conditions subject to which
auditors may be appointed and the remuneration to be paid to them; (j)
facilitating the establishment of any electronic system by a Certifying
Authority either solely or jointly with other Certifying Authorities and
regulation of such systems; (k) specifying the manner in which the Certifying
Authorities shall conduct their dealings with the subscribers; (l) resolving any
conflict of interests between the Certifying Authorities and the subscribers; (m)
laying down the duties of the Certifying Authorities; (n) maintaining a data
base containing the disclosure record of every Certifying Authority containing
such particulars as may be specified by regulations, which shall be accessible
to public.2
Section 183 enumerates various powers and functions of the Controller of
Certifying Authorities (CCA). The Controller's main function is to regulate and
control almost every activity of the Certifying Authorities (CA's). Being the
apex authority in the PKI hierarchy, a duty is cast upon the Controller to ensure
proper working of the Certifying Authorities and to ensure the safety, security
2 THE INFORMATION TECHNOLOGY ACT, 2000; sec-18
3 id

and integrity of electronic signatures. To ensure this the Information

Technology Act empowers the Controller of Certifying Authorities to perform
certain functions. The Controller is empowered to supervise the activities of
the Certifying Authorities (CA). It is the Controller who issues licences to issue
Electronic Signature Certificates to the Certifying Authorities. Section 18(a)
has to read along with Rule 31(2) of the Information Technology (Certifying
Authority Rules, 2000 stipulates that the Certifying Authorities shall conduct
half yearly audit of the security policy, physical security and planning of its
operations and the repository. The Certifying Authority shall submit copy of
each audit report to the Controller within four weeks of the completion of such
audit and where irregularities are found, the Certifying Authority shall take
immediate appropriate action to remove such Irregularities. The Controller of
Certifying Authorities shall certify the public keys of the Certifying
Authorities. The Root Certifying Authority of India established by the
Controller is entrusted to certify/digitally sign public keys of all certifying
authorities in India. The Root Certifying Authority of India (RCAI) is operated
as per the standards laid down under the Information Technology Act. The
requirements to be satisfied by the RCAI include the following:
(a) The license issued to the Certifying Authority is digitally signed by the
CCA;
(b) All public keys corresponding to the signing private keys of a Certifying
Authority are digitally signed by the Controller of Certifying Authorities;
(c) That these keys signed by the Controller of Certifying Authorities can be
verified by a relying party through the Controller's website or Certifying
Authorities own website.
The RCAI is operated using Smart-Trust software. Authorized CCA personnel
initiate and perform Root Certifying Authority functions in accordance with
the Certification Practice Statement of Root Certifying Authority of India. The
term Root Certifying Authority is used to refer to the total certifying authority
entity, including the software and its operations. It's 'root certificate' is the
highest level of certification in India. A root certificate is a self-signed
certificate. All certificates below the root certificate inherit the trustworthiness
of the root certificate145. Section 18(b) of the Information Technology Act,
has to be read along with Rule 20(b) of Information Technology (Certifying
Authorities) Rules, 2000. The rule states that, the licensed Certifying Authority

shall commence its commercial operation of generation and issuance of digital

signature only after it has generated its key pair, namely, private and
corresponding public key, and submitted the public key to the Controller. One
of the main functions of the Controller is to lay down standards to be
maintained by the Certifying Authorities. Information technology architecture
may support open standards and accepted defacto standards. However, Rule 6
of the Information Technology (Certifying Authorities) Rules, 2000prescribed
certain standards to be followed for different activities associated with the
Certifying Authorities functions. Rule 7 of the Information Technology
(Certifying Authorities) Rules, 2000, deals with Digital Signature Certificate
Standard.4

PAKISTAN
The ministry of Information Technology, in line with the National IT Policy and
the Electronic Transaction Ordinance, 2002 setup an Accreditation Council for
Certificate Authorities (CAs) in 2002. The council acts as a regulating authority for
all the Certifying Authority in Pakistan. Also, before this ordinance in 2002 there
was only one Certifying Authority, NIFT National ICT and R&D Fund. After this
ordinance, many C.A. were formed. At present there are in total 13 Certifying
Authority, Namely:1
2
3
4
5
6
7
8
9

National ICT R&D Fund

Electronic Government Directorate (EGD)
Electronic Certification Accreditation Council (ECAC)
National Telecommunication Corporation (NTC)
Pakistan Computer Bureau (PCB)
Pakistan Software Export Board (PSEB)
Pakistan Telecommunications Company Limited (PTCL)
Paknetd
Pakistan Telecommunications Mobile Limited (PTML Ufone)

4 Authorities Under I.T.Act, 2000: With Special Reference To Cyber Appellate

Tribunal In India Jamshed Ansari Asstt. Professor (Guest Faculty), Faculty of Law,
University of Delhi, Delhi (INDIA)

10 Special Communication Organization (SCO)

11 Telecom Foundation (TF)
12 Universal Service Fund (USF)
13 Virtual University (VU)
BANGLADESH
As a signatory of World Trade Organization, Bangladesh has accepted the
Code of Good Practice of the WTO Agreement on Removing Relying Party
Certification Authority Certification Policy (CP) Certification Practice
Statement (CPS) Certificate Holder Secured Connection Certificate
verification Certificate issue and management Relying Party Information (RPI)
Digital Identity Agreement (DIA) IIUC Studies, Vol. 6 116 Technical Barriers
to Trade.5 As part of ongoing legal framework development in an attempt to
keep pace with globalization, Bangladesh has enacted Information Technology
Act in 2006. The object of the legislation, inter alia , is to facilitate electronic
commerce, to eliminate barriers to electronic commerce resulting from
uncertainties over writing and signature requirements, and to promote the
development of the legal and business infrastructure necessary to implement
secure electronic commerce and to promote public confidence in the integrity
and reliability of electronic records and electronic commerce, and to foster the
development of electronic commerce through the use of electronic signatures
to lend authenticity and integrity to correspondence in any electronic medium.6
It is evident that Information Technology Act 2006, hereinafter as The Act, has
given legal recognition to digital signatures in order to bring digital signature
under complete legal and evidential scrutiny.

Certifying Authorities Controller

The government may appoint Controller, Deputy Controller and Assistant
Controller of Certifying Authorities. The Controller is the highest authority to
supervise and validate the CAs. The Controller is responsible to specify the
5 Hossain, Najmul, E-Commerce in Bangladesh: Status, Potential and Constraints,
JOBS Report, 2000, p 2, retrieved from
http://www.jobsproject.org/content/publication/ECommerce_in_Bangladesh_status.pdf last visited on January 27, 2010.
6 Final Report on The Law on Information Technology, Bangladesh Law Commission,
P 3, retrieved from http://www.lawcommissionbangladesh.org/wplit.html.

rules and methods under which CAs will function. It will establish databases of
disclosure issued by Certifying Authorities and perform all other functions in
order to ascertain the system of Public Key Infrastructure work properly.7The
Controller has authority to recognize foreign CAs by following rules
established under the Act.8 It will act as repository of all Certificates issued.
Certifying Authorities are generally private entities. They have to obtain
license and must comply with strict requirements set by law.
The Controller issues such silences after scrutinizing application for silences.
The license is subject to suspension and revocation. The application should
accompany a certificate practice statement, a statement including the
procedures with respect to identification of the applicant, requisite fees and
other documents.9
U.S.A
The ESIGN Act, signed by President Bill Clinton on June 30, 2000, granted
electronic signatures the same legal status as handwritten signatures throughout
the United States. Electronic signatures greatly simplify the way companies
gather, track and manage signatures and approvals.
The terms issuing authority or certificate issuer are sometimes used to refer to
what these Guidelines call a certification authority. The two terms are closely
synonymous10.
Certification authority:- A person who issues a certificate11.
Quality assurance should be a principal concern in selecting and utilizing
certification authorities. Governmental regulation, professional accreditation,
7 Section 18 and 19 of Information Technology Law , 2006.
8 Id. Section 20
9 Id. Sections 22 to 26
10 https://acrobat.adobe.com/content/dam/doccloud/en/pdfs/dc_esignatures_us_overview_ue.pdf
11 Information Security Committee Electronic Commerce and Information
Technology Division Section of Science and Technology American Bar Association 8
1995, 1996 American Bar Association.

trade usage, auditing, and liability for negligent errors and omissions are
examples of approaches toward assuring quality in certification authority
practice.
Subject to applicable law, any person who undertakes the functions of a
certification authority under these Guidelines may become a certification
authority. The level of authority and reliance to be accorded to the certificates
of the certification authority will be determined in part by the experience and
reputation of the certification authority, and in part from the material presented
in the certification practice statement. Those who seek a low level of
responsibility to protect transactions of minor value or limited risk may accept
a certificate of lower level assurance from a certification authority of unknown
reputation. Those who seek the highest level of responsibility to protect
transactions of high value and severe risk will obtain certificates providing the
highest level of assurance, from certification authorities whose experience has
earned them the highest respect.12
A notaire or CyberNotaryK may be a certification authority, and serving as a
certification authority may well be a natural. CyberNotariesK are attorneys at
law admitted to practice in the United States and qualified to act as a
CyberNotaryK pursuant to specialization rules currently under development in
the CyberNotaryK Committee, Section of Science and Technology of the
American Bar Association. A CyberNotaryK function mirrors that of a notaire,
and is focused primarily on practice in international, computer-based
transactions. Under the planned specialization rules, a CyberNotaryK would
possess technical expertise to facilitate computer-based transactions requiring a
high level of certification, authentication, or other information security
services. It is proposed that a CyberNotaryK would be required to meet a level
of qualification as a legal professional commensurate with that of a notaire, be
a member in good standing of the bar of a state or territory of the United
States, the District of Columbia, or Puerto Rico, be a member of the American
Bar Association, and demonstrate technical competence in computer-based
business transactions. For further information, contact the CyberNotaryK
Committee, Section of Science and Technology, of the American Bar
Association.
12Sec-1.7; Information Security Committee, Section of Science & Technology,
American Bar Association.

Moreover, notaires and CyberNotariesK provide important adjunct services in

addition to assuring the validity of a signature; for example, a notarial
authentication in certain legal systems assures the validity and legal efficacy of
the transaction itself, not merely its signatures. Notaires and CyberNotariesK,
therefore, may be well suited to serving as certification authorities, subject, of
course, to satisfaction of the standards of training and practice required of all
certification authorities by (AA certification authority must utilize trustworthy
systems in performing its services) the definition of computer hardware,
software and procedures which meet the test of a trustworthy system.
The U.S. Federal Public Key Infrasture and the Federal Bridge
Certification Authority
Peter Alterman, Ph.D.Senior Advisor to the Chair, Federal PKI Steering
Committee and Acting Director, Federal Bridge Certification Authority.
The Goals of the U.S. Federal PKI
A cross-governmental, ubiquitous, interoperable Public Key
Infrastructure.
The development and use of applications which employ that PKI in
support of Agency business processes

The U.S. Federal Bridge Certification Authority (FBCA):

Designed to create trust paths among individual Agency PKIs
Employs a distributed - NOT a hierarchical - model
Commercial CA products participate within the membrane of the
Bridge
Develops cross-certificates within the membrane to bridge the gap
among dissimilar products
EXAMPLES OF CERTIFYING AYTHORITIES:

Thawte
Thawte is a leading global Certification Authority. Our SSL and code signing
digital certificates are used globally to secure servers, provide data encryption,
authenticate users, protect privacy and assure online identifies through stringent
authentication and verification processes. Our SSL certificates include Wildcard
SSL Certificates, SAN /UC Certificates, SGC SuperCerts and Extended Validation
SSL Certificates.
Entrust
SSL Server Certificates
SSL (Secure Sockets Layer) is a cryptographic protocol that establishes a secure
connection between a client application and a server on the Internet or other
network. An SSL certificate (or digital certificate) indicates that an encryption
algorithm is being used to ensure that only intended parties are the recipient of a
data transmission. For this reason, SSL certificates or Transport Layer Security
(TLS) certificates are one of the hallmarks of a solid e-commerce foundation and
the de facto industry standard for protecting information from unauthorized access.
In short, SSL certificates help build customer trust and website reputation by
safeguarding Internet transactions.
Verisign
VeriSign Authentication Services, now part of Symantec Corp. (NASDAQ:
SYMC), provides solutions that allow companies and consumers to engage in
communications and commerce online with confidence. VeriSign Authentication
Services include SSL, SSL Certificates, Extended Validation (EV SSL), VeriSign
Trust Seal, two-factor authentication, identity protection, malware scan, code
signing and public key infrastructure (PKI). Symantec products include Norton
antivirus software, Norton internet security solutions for small business, and PC
Tools.

Globalsign

GlobalSign Inc offers online security services and has been operating a trusted
Root Certificate Authority since 1996. GlobalSign Digital Certificates are trusted
by all popular Browsers, Operating Systems, Mobile Devices and Applications and
include SSL Server Certificates, Extended Validation SSL, Code Signing, Adobe
CDS, Email & Authentication Digital IDs, Enterprise PKI and Certificate
Authority root signing for Microsoft Certificate Services / Enterprise CA.
MALAYSIA
In a public-key infrastructure scheme, Certification Authorities play a very
prominent role. As trusted third parties, Certification Authorities certifies and
identifies users electronically by issuing electronic identification certificates.
For a digital signature to enjoy legal status, it must be certified by a
Certification Authority. In Malaysia, licensing of Certification Authority is
mandatory.13 At the moment, DigiCert is the only licensed Certification
Authority in Malaysia. This approach is adopted so that there is uniformity in
the certification industry, and that regulation of digital signatures can be done
more effectively. (Annamalai; 1997) although (Alkeniz; 1997) argued that
licensing TTP, instead of increasing security, will in fact make electronic
commerce less secure. Therefore, in Malaysia, a digital signature is legally
valid only if it is certified by a licensed Certification Authority. In fact, it is an
offence to carry on or operate, or hold out as Certification Authority, unless
that person holds a valid licensed under the Act. Upon conviction, it may be
liable to a fine not exceeding five hundred thousand ringgit or to imprisonment
for a term not exceeding ten years or both.14 Although in Malaysia, licensing of
Certification Authority is mandatory, this does not mean that a certificate
issued by an unlicensed Certification Authority is invalid. In fact, the Act
specifically provides that the licensing requirements under the Act shall not
affect the effectiveness, enforceability and validity of any digital signatures.15
The Act further provides that the liability limits for certification authorities and
13 s. 4(1) OF DIGITAL SIGNATURE ACT,1997
14 s. 4(2) DIGITAL SIGNATURE ACT,1997
15SEC-13(2 ,) DIGITAL SIGNATURE ACT,1997

the effect of digital signatures, as provided for under the Act, shall not apply to
unlicensed Certification Authorities. Therefore, if an unlicensed Certification
Authority is used, the validity of the digital signatures would be governed by a
contract between the contracting parties, instead of the Malaysia DSA. The
Singapore ETA adopts a different approach. Licensing under the Singapore
ETA is voluntary so that closed network may use their unlicensed Certification
Authority. (Ter; 1999) But, It is not correct to assume that Unlicensed
Certification Authority is not regulated. (Seng; 1999) They would still have to
abide with other relevant provision of the Singapore ETA, such as the duties of
certification authorities. In Singapore, digital certificates are recognised if there
are issued by three bodies; licensed Certification Authorities, foreign
Certification Authorities recognised by the Controller of Certification
Authority16, Government Department or Ministries approved by the Minister
and the parties may expressly agree between themselves to use digital
signature which is property verified by reference to the sender's public key.17
RUSSIA
Certification of e-signature technology is a lengthy process in Russia and may
require, among other things, decompiling the certifiable software. In the
meantime, users often run foreign-made e-signature technology, the
certification of which is impracticable economically or organizationally. It
should therefore be admitted that the statutorily required certification of esignature technology substantially limits user options offered to electronic
document flow agents, and is a serious obstacle to wider use of e-signatures in
Russian business practice.
At present, the authorized government body is the Federal Agency for
Information Technology (FAIT) operating within the Russian Federation
Ministry for Information Technology and Telecommunications.18 FAIT
16 s. 43 , Electronic Transaction Act
17 s. 20(b)(iv) ELECTRONIC TRANSACTION ACT
18 Resolution No. 319 of the Russian Federation Government On Approval of the Regulations
of the Federal Agency for Information Technology of June 30, 2004. The web site of FAIT in
Russian is located at http://www.minsvyaz.ru/site.shtml?id=2873. Information in English is only
available in regard to the Ministry itself http://english.minsvyaz.ru/enter.shtml.

maintains an official register of digital signature key certificates which the

certifying centers verify the certificates they issue. The agency provides free
access to this register and issued the key certificates of the digital signatures of
respective authorized officers of the certifying centers.
The E-Signature Law, which sets forth the duties that certifying centers owe to
the holders of digital signature key certificates, is silent on the centers
responsibility for the accuracy and validity of the certificates and the centers
liability for damages caused to any individuals, legal entities or organizations
which have reasonably relied on such certificates.19 The only sanction the Law
provides is the possibility of placing liability for losses, caused in connection
with the generation of digital signature keys using uncertified digital signature
technology, on the producers and distributors of such technology. It should also
be noted that the Law does not name among the duties which certifying centers
owe to digital signature certificate holders, the substantial duty of keeping the
private keys secret when the certifying centers generate such keys at the
certificate holders requests.20

19 The obligation to provide such liability is established for the European countries, for
example, by Directive 1999/93/EC of the European Parliament and of the Council of 13
December 1999 on a Community framework for electronic signatures Official Journal L 013,
19/01/2000 p. 0012 0020 available in electronic format at
http://www.ict.etsi.org/EESSI/Documents/e-sign-directive.pdf.
20 Article 11 of the E-Signature Law.

CONCLUSION
A certificate authority (CA) is a trusted entity that issues electronic
documents that verify a digital entitys identity on the Internet. The
electronic documents, which are called digital certificates, are an
essential part of secure communication and play an important part in
the public key infrastructure (PKI). Certificates typically include the
owner's public key, the expiration date of the certificate, the owner's
name and other information about the public key owner. Operating
systems (OSes) and browsers maintain lists of trusted CA root
certificates to verify certificates that a CA has issued and signed.
In cryptography, a certificate authority or certification authority (CA)
is an entity that issues digital certificates. A digital certificate
certifies the ownership of a public key by the named subject of the
certificate. This allows others (relying parties) to rely upon
signatures or on assertions made about the private key that
corresponds to the certified public key. In this model of trust
relationships, a CA is a trusted third partytrusted both by the
subject (owner) of the certificate and by the party relying upon the
certificate. The most commonly encountered public-key
infrastructure (PKI) schemes are those used to implement https on
the world-wide web.

BIBLIOGRAPHY
REFRENCES:-

http://archive.mu.ac.in/myweb_test/SYBA%20Study
%20Material.pdf
http://www.academia.edu
www.researchgates.net
www.wikieducator.com

BOOKS:-

Information Technology Law And Practice by Vakul Sharma

CONTENTS
INTRODUCTION
WHO IS THE CONTROLLER OF CERTIFYING
AUTHORITIES
POWER AND FUNCTIONS OF CERTIFYING
AUTHORITIES
IN REFERENCE TO:
PAKISTAN
BANGLADESH
U.S.A
MALAYSIA
RUSSIA
CONCLUSION
BIBLIOGRAPHY