The Controller of Certifying Authorities (CCA) has established the RCAI under Section 18(b) of the IT Act to digitally sign the public keys of Certifying Authorities (CAs) in the country. The RCAI is operated as per the standards laid down under the Act.
The requirements fulfilled by the RCAI include the following:
- The licence issued to the CA is digitally signed by the CCA.
- All public keys corresponding to the signing private keys of a CA are
digitally signed by the CCA.
- That these keys are signed by the CCA can be verified by a relying party through the CCA's website or CA's own website.
The RCAI is operated using SmartTrust software. Authorized CCA personnel initiate and perform Root CA functions in accordance with the Certification Practice Statement of Root Certifying Authority of India. The term Root CA is used to refer to the total CA entity, including the software and its operations.
The RCAI root certificate is the highest level of certification in India. It is used to sign the public keys of the licensed CAs.
Certifying Authorities (CAs) are responsible for issuing Digital Signature Certificates to the end users. In order to facilitate greater flexibility to Certifying Authorities, the CCA has allowed the creation of sub-CAs. As per this model, a Certifying Authority can create a sub-CA to meet its business branding requirement. However the sub-CA will be part of the same legal entity as the CA. The sub-CA model will be based on the following principles:
- The CAs must not have more than one level of sub-CA.
- A sub-CA certificate issued by the CA is used for issuing end entity certificates.
- A CA with sub-CA must necessarily issue end entity certificates only through its sub-CA. The only exception will be for code signing and time stamping certificates, which may directly be issued by the CA.
- i. Safescrypt – a private Certifying Authority
- ii. NIC – an organisation of Govt. of India, issuing certificates to Government organisations
- iii. IDRBT – established by Reserve Bank of India for issuing certificates to the banking industry
- iv. TCS – private certifying authority to issue certificates to individuals, company and government users
- v. MTNL
- vi. Customs and Central Excise
- vii. (n)Code Solutions CA (GNFC)
- viii. e-Mudhra
The licensed Certifying Authorities (CAs) are –
Who can become a Certifying Authority?
The following persons can apply for grant of a licence to issue Digital Signature Certificates, namely:-
(a) an individual, being a citizen of India and having a capital of five crores of rupees or more in his business or profession;
(b) a company having–
(i) paid up capital of not less than five crores of rupees; and
(ii) net worth of not less than fifty crores of rupees:
No company in which the equity share capital held in aggregate by the Non-resident Indians, Foreign Institutional Investors, or foreign companies, exceeds forty-nine per cent of its capital, will be eligible for grant of licence.
In a case where the company has been registered under the Companies Act, 1956 during the preceding financial year or in the financial year during which it applies for grant of licenceunder the Act and whose main object is to act as Certifying Authority, the net worth referred to in sub-clause (ii) will be the aggregate net worth of its majority shareholders holding at least 51% of paid equity capital, being the Hindu Undivided Family, firm or company. Majority shareholders should not include Nonresident Indian, foreign national, Foreign Institutional Investor and foreign company.
The majority shareholders of a company whose net worth has been determined on the basis of such majority shareholders should not sell or transfer its equity shares held in such company- unless such a company acquires or has its own net worth of not less than fifty crores of rupees and without prior approval of the Controller.
(c) a firm having –
(i) capital subscribed by all partners of not less than five crores of rupees; and
(ii) net worth of not less than fifty crores of rupees. No firm, in which the capital held in aggregate by any Non-resident Indian, and foreign national, exceeds forty-nine per cent of its capital,
will be eligible for grant of licence.
In a case where the firm has been registered under the Indian Partnership Act, 1932 during the preceding financial year or in the financial year during which it applies for grant of licence under the Act and whose main object is to act as Certifying Authority, the net worth referred to in sub-clause (ii) should be the aggregate net worth of all of its partners. The partners should not include Non-resident Indian and foreign national. The partners of a firm whose net worth has been determined on the basis of such partners, should not sell or transfer its capital held in such firm - unless such firm has acquired or has its own net worth of not less than fifty crores of rupees and without prior approval of the Controller.
(d) Central Government or a State Government or any of the Ministries or Departments, Agencies or Authorities of such Governments Submission of performance bond The applicant should submit a performance bond or furnish a banker's guarantee from a scheduled bank in favour of the Controller in such form and in such manner as may be approved by the Controller for an amount of not less than five crores of rupees and the performance bond or banker's guarantee will remain valid for a period of six years from the date of its submission.
Submission of application
Every application for a licensed Certifying Authority should be made to the Controller in the form given in Schedule I of the Information Technology (Certifying Authorities) Rules, 2000.
Rule 10 of IT (Certifying Authorities) Rules, 2000 prescribes the following documents to be submitted along with the application –
(a) a Certification Practice Statement (CPS);
(b) a statement including the procedures with respect to identification of the applicant;
(c) a statement for the purpose and scope of anticipated Digital Signature Certificate technology, management, or operations to be outsourced;
(d) certified copies of the business registration documents of Certifying Authority that intends to be licensed;
(e) a description of any event, particularly current or past insolvency, that could materially affect the applicant's ability to act as a Certifying Authority;
(f) an undertaking by the applicant that to its best knowledge and belief it can and will comply with the requirements of its Certification Practice Statement;
(g) an undertaking that the Certifying Authority's operation would not commence until its operation and facilities associated with the functions of generation, issue and management of Digital Signature Certificate are audited by the auditors and approved by the Controller in accordance with rule 20;
(h) an undertaking to submit a performance bond or banker's guarantee in accordance with sub-rule (2) of rule 8 within one month of Controller indicating his approval for the grant of licence to operate as a Certifying Authority;
(i) any other information required by the Controller. Apart from the above mentioned documents, the following particulars also need to be furnished –
i. Company Profile/Experience of Individuals
ii. For an individual, proof of capital of Rs. 5 crores or more in his business or profession
iii. For a company/firm,
a. proof of paid-up capital not less than Rs. 5 crores
b. proof of net worth not less than Rs. 50 crores
iv. Proof of Equity (Proof that equity share capital held in aggregate by NRIs, FIIs or foreign companies does not exceed 49% of its capital) v. An undertaking to submit Performance Bond or Banker's Guarantee valid for six years from a scheduled bank for an amount not less than Rs. 5 crores in accordance with Rule 10(ii)(h) of the IT Act.
vi. Crossed cheque or bank draft for Rs. 25,000/- (for fresh application) or Rs.5,000/- (for renewal) in favour of the Pay & Accounts Officer, DIT, New Delhi. Both fees are non-refundable.
vii. Certified true copies of the company's incorporation, articles of association etc.
viii. Original business profile report with certification from Registrar of Companies.
ix. Audited accounts for the past 3 years (if applicable).
x. The CA's Certification Practice Statement (CPS).
xi. Technical specifications of the CA system and CA security policies, standards and infrastructure available/proposed and locations of facilities.
xii. Information Technology and Security Policy proposed to be followed by the CA in its operations.
xiii. Statement addressing the manner in which the CA shall comply with the requirements stipulated in the IT Act, Rules and Regulations.
xiv. Organizational chart and details of all trusted personnel.
xv. Date by which the applicant will be ready for audit to start. The application shall be deemed to have been received on this date for processing purposes.
xvi. Date by which commencement of CA operations is proposed.
xvii. An undertaking by the applicant that they will make payment to the Auditor appointed by the CCA at the rate to be prescribed by the CCA. The Controller reserves the right to call for any other information that may be required to process the application. The application for licence to operate as a Certifying Authority, including all supporting documents, must be ubmitted in triplicate. These should be in the form of three identical sets numbered 1, 2 and 3.
Issuance of licence
The Controller should within four weeks from the date of receipt of the application, after considering the documents accompanying the application and such other factors, as he may deem it, grant or renew the licence or reject the application. In exceptional circumstances and for reasons to be recorded in writing, the period of four weeks may be extended to such period, not exceeding eight weeks in all as the Controller may deem fit.
If the application for licensed Certifying Authority is approved, then the applicant should submit a performance bond or furnish a banker's guarantee within one month from the date of such approval to the Controller and execute an agreement with the Controller binding himself to comply with the terms and conditions of the licence and the provisions of the Act and the rules made thereunder.
The licence will be valid for a period of five years from the date of its issue. The licence is not transferable. The provisions that are applicable for obtaining fresh licence will be applicable for renewal of licence also. Every application for renewal should be made atleast 45 days before the date of expiry.
Every Certifying Authority should display its licence at a conspicuous place of the premises in which it carries on its business.
Security Guidelines for Certifying Authorities
The Certifying Authorities will have the sole responsibility of integrity, confidentiality and protection of information and information assets employed in its operation, considering classification, declassification, labeling, storage, access and destruction of information assets according to their value, sensitivity and importance of operation.
Information Technology Security Guidelines and Security Guidelines for Certifying Authorities aimed at protecting the integrity, confidentiality and availability of service of Certifying Authority are given in Schedule-II and Schedule-III of the IT (Certifying Authorities) Rules, 2000.
The Certifying Authority should formulate its Information Technology and Security Policy for operation complying with these guidelines and submit it to the Controller before commencement of operation. (Rule 19 of IT (Certifying Authorities) Rules, 2000)