Study with the several resources on Docsity
Earn points by helping other students or get them with a premium plan
Prepare for your exams
Study with the several resources on Docsity
Earn points to download
Earn points by helping other students or get them with a premium plan
Community
Ask the community for help and clear up your study doubts
Discover the best universities in your country according to Docsity users
Free resources
Download our free guides on studying techniques, anxiety management strategies, and thesis advice from Docsity tutors
INFORMATION TECHNOLOGY RULES,2000.pdf
Typology: Essays (university)
1 / 109
This page cannot be seen from the preview
Don't miss anything!
Note : Every care has been taken to avoid errors or omissions in
printing of this booklet. The Office of Controller of Certifying Authorities will not be held responsible for discrepancies, if any. For authoritative information please refer to the Gazette Notification.
New Delhi, the 17th October, 2000 G.S.R.789(E) — In exercise of the powers conferred by section 87 of the Information Technology Act, 2000 (21 of 2000), the Central Government hereby makes the following rules regulating the application and other guidelines for Certifying Authorities, namely:-
1. Short title and commencement.—
(1) These Rules may be called Information Technology (Certifying Authorities) Rules, 2000. (2) They shall come into force on the date of their publication in the Official Gazette.
2. Definitions.—
In these Rules, unless the context otherwise requires,– (a) "Act" means the Information Technology Act, 2000 (21 of 2000); (b) “applicant" means Certifying Authority applicant; (c) "auditor" means any internationally accredited computer security professional or agency appointed by the Certifying Authority and recognized by the Controller for conducting technical audit of operation of Certifying Authority; (d) "Controller" means Controller of Certifying Authorities appointed under sub- section (1) of Section 17 of the Act; (e) "Digital Signature Certificate" means Digital Signature Certificate issued under sub-section (4) of section 35 of the Act; (f) "information asset" means all information resources utilized in the course of any organisation's business and includes all information, applications (software developed or purchased), and technology (hardware, system software and networks); (g) "licence" means a licence granted to Certifying Authorities for the issue of Digital Signature Certificates under these rules; (h) "licensed Certifying Authority" means Certifying Authority who has been granted a licence to issue Digital Signature Certificates; (i) "person" shall include an individual; or a company or association or body of individuals; whether incorporated or not; or Central Government or a State Government or any of the Ministries or Departments, Agencies or Authorities
of such Governments; (j) "Schedule" means a schedule annexed to these rules; (k) "subscriber identity verification method" means the method used to verify and authenticate the identity of a subscriber; (l) "trusted person" means any person who has:– (i) direct responsibilities for the day-to-day operations, security and performance of those business activities that are regulated under the Act or these Rules in respect of a Certifying Authority; or (ii) duties directly involving the issuance, renewal, suspension, revocation of Digital Signature Certificates (including the identification of any person requesting a Digital Signature Certificate from a licensed Certifying Authority), creation of private keys or administration of a Certifying Authority's computing facilities. (m) words and expressions used herein and not defined but defined in Schedule- IV shall have the meaning respectively assigned to them in that schedule.
3. The manner in which information be authenticated by means of Digital Signature.— A Digital Signature shall,- (a) be created and verified by cryptography that concerns itself with transforming electronic record into seemingly unintelligible forms and back again; (b) use what is known as "Public Key Cryptography", which employs an algorithm using two different but mathematical related "keys" – one for creating a Digital Signature or transforming data into a seemingly unintelligible form, and another key for verifying a Digital Signature or returning the electronic record to original form, the process termed as hash function shall be used in both creating and verifying a Digital Signature.
Explanation: Computer equipment and software utilizing two such keys are often termed as "asymmetric cryptography".
4. Creation of Digital Signature.—
To sign an electronic record or any other item of information, the signer shall first apply the hash function in the signer's software; the hash function shall compute a hash result of standard length which is unique (for all practical purposes) to the electronic record; the signer's software transforming the hash result into a Digital Signature using signer's private key; the resulting Digital Signature shall be unique to both electronic
Digital Hash Function MD5 and SHA-
RSA Public Key Technology PKCS#1 RSA Encryption Standard (512, 1024, 2048 bit) PKCS#5 Password Based Encryption Standard PKCS#7 Cryptographic Message Syntax standard PKCS#8 Private Key Information Syntax standard PKCS#9 Selected Attribute Types PKCS#10 RSA Certification Request PKCS#12 Portable format for storing/ transporting a user's private keys and certificates
Distinguished name X.
Digital Encryption and Digital Signature PKCS#
Digital Signature Request Format PKCS#
7. Digital Signature Certificate Standard.—
All Digital Signature Certificates issued by the Certifying Authorities shall conform to ITU X.509 version 3 standard as per rule 6 and shall inter alia contain the following data, namely:-
(a) Serial Number (assigning of serial number to the Digital Signature Certificate by Certifying Authority to distinguish it from other certificate); (b) Signature Algorithm ldentifier (which identifies the algorithm used by Certifying Authority to sign the Digital Signature Certificate); (c) Issuer Name (name of the Certifying Authority who issued the Digital Signature Certificate); (d) Validity period of the Digital Signature Certificate; (e) Name of the subscriber (whose public key the Certificate identifies); and (f) Public Key information of the subscriber.
8. Licensing of Certifying Authorities.—
(1) The following persons may apply for grant of a licence to issue Digital Signature Certificates, namely:- (a) an individual, being a citizen of India and having a capital of five crores of rupees or more in his business or profession; (b) a company having– (i) paid up capital of not less than five crores of rupees; and (ii) net worth of not less than fifty crores of rupees: Provided that no company in which the equity share capital held in aggregate by the Non-resident Indians, Foreign Institutional Investors, or foreign companies, exceeds forty-nine per cent of its capital, shall be eligible for grant of licence:
Provided further that in a case where the company has been registered under the Companies Act, 1956 (1 of 1956) during the preceding financial year or in the financial year during which it applies for grant of licence under the Act and whose main object is to act as Certifying Authority, the net worth referred to in sub-clause (ii) of this clause shall be the aggregate net worth of its majority shareholders holding at least 51% of paid equity capital, being the Hindu Undivided Family, firm or company:
Provided also that the majority shareholders referred to in the second proviso shall not include Non-resident Indian, foreign national, Foreign Institutional Investor and foreign company:
Provided also that the majority shareholders of a company referred to in the second proviso whose net worth has been determined on the basis of such majority shareholders, shall not sell or transfer its equity shares held in such company-
(i) unless such a company acquires or has its own net worth of not less than fifty crores of rupees; (ii) without prior approval of the Controller; (c) a firm having – (i) capital subscribed by all partners of not less than five crores of rupees; and (ii) net worth of not less than fifty crores of rupees: Provided that no firm, in which the capital held in aggregate by any Non-resident Indian, and foreign national, exceeds forty-nine per cent of its capital, shall be eligible for grant of licence:
performance bond or banker's guarantee shall remain valid for a period of six years from the date of its submission: Provided that the company and firm referred to in the second proviso to clause (b) and the second proviso to clause (c) of sub-rule (1) shall submit a performance bond or furnish a banker's guarantee for ten crores of rupees:
Provided further that nothing in the first proviso shall apply to the company or firm after it has acquired or has its net worth of fifty crores of rupees.
(3) Without prejudice to any penalty which may be imposed or prosecution may be initiated for any offence under the Act or any other law for the time being in force, the performance bond or banker's guarantee may be invoked– (a) when the Controller has suspended the licence under sub-section (2) of section 25 of the Act; or (b) for payment of an offer of compensation made by the Controller; or (c) for payment of liabilities and rectification costs attributed to the negligence of the Certifying Authority, its officers or employees; or (d) for payment of the costs incurred in the discontinuation or transfer of operations of the licensed Certifying Authority, if the Certifying Authority's licence or operations is discontinued; or (e) any other default made by the Certifying Authority in complying with the provisions of the Act or rules made thereunder. Explanation.- "transfer of operation" shall have the meaning assigned to it in clause (47) of section 2 of the Income-tax Act, 1961 (43 of 1961).
9. Location of the Facilities.—
The infrastructure associated with all functions of generation, issue and management of Digital Signature Certificate as well as maintenance of Directories containing information about the status, and validity of Digital Signature Certificate shall be installed at any location in India.
10. Submission of Application.—
Every application for a licensed Certifying Authority shall be made to the Controller,-
(i) in the form given at Schedule-l; and
(ii) in such manner as the Controller may, from time to time, determine, supported by such documents and information as the Controller may require and it shall inter alia include- (a) a Certification Practice Statement (CPS); (b) a statement including the procedures with respect to identification of the applicant; (c) a statement for the purpose and scope of anticipated Digital Signature Certificate technology, management, or operations to be outsourced; (d) certified copies of the business registration documents of Certifying Authority that intends to be licensed; (e) a description of any event, particularly current or past insolvency, that could materially affect the applicant's ability to act as a Certifying Authority; (f) an undertaking by the applicant that to its best knowledge and belief it can and will comply with the requirements of its Certification Practice Statement; (g) an undertaking that the Certifying Authority's operation would not commence until its operation and facilities associated with the functions of generation, issue and management of Digital Signature Certificate are audited by the auditors and approved by the Controller in accordance with rule 20; (h) an undertaking to submit a performance bond or banker's guarantee in accordance with sub-rule (2) of rule 8 within one month of Controller indicating his approval for the grant of licence to operate as a Certifying Authority; (i) any other information required by the Controller.
11. Fee.—
(1) The application for the grant of a licence shall be accompanied by a non- refundable fee of twenty-five thousand rupees payable by a bank draft or by a pay order drawn in the name of the Controller. (2) The application submitted to the Controller for renewal of Certifying Authority's licence shall be accompanied by a non-refundable fee of five thousand
(2) A Certifying Authority shall submit an application for the renewal of its licence not less than forty-five days before the date of expiry of the period of validity of licence. (3) The application for renewal of licence may be submitted in the form of electronic record subject to such requirements as the Controller may deem fit.
16. Issuance of Licence.—
(1) The Controller may, within four weeks from the date of receipt of the application, after considering the documents accompanying the application and such other factors, as he may deem fit, grant or renew the licence or reject the application: Provided that in exceptional circumstances and for reasons to be recorded in writing, the period of four weeks may be extended to such period, not exceeding eight weeks in all as the Controller may deem fit.
(2) If the application for licensed Certifying Authority is approved, the applicant shall- (a) submit a performance bond or furnish a banker's guarantee within one month from the date of such approval to the Controller in accordance with sub-rule (2) of rule 8; and (b) execute an agreement with the Controller binding himself to comply with the terms and conditions of the licence and the provisions of the Act and the rules made thereunder.
17. Refusal of Licence.—
The Controller may refuse to grant or renew a licence if- (i) the applicant has not provided the Controller with such information relating to its business, and to any circumstances likely to affect its method of conducting business, as the Controller may require; or (ii) the applicant is in the course of being wound up or liquidated; or (iii) a receiver has, or a receiver and manager have, been appointed by the court in respect of the applicant; or (iv) the applicant or any trusted person has been convicted, whether in India or out of India, of an offence the conviction for which involved a finding that it or such trusted person acted fraudulently or dishonestly, or has been convicted of an offence under the Act or these rules; or
(v) the Controller has invoked performance bond or banker's guarantee; or (vi) a Certifying Authority commits breach of, or fails to observe and comply with, the procedures and practices as per the Certification Practice Statement; or (vii) a Certifying Authority fails to conduct, or does not submit, the returns of the audit in accordance with rule 31; or (viii) the audit report recommends that the Certifying Authority is not worthy of continuing Certifying Authority's operation; or (ix) a Certifying Authority fails to comply with the directions of the Controller.
18. Governing Laws.—
The Certification Practice Statement of the Certifying Authority shall comply with, and be governed by, the laws of the country.
19. Security Guidelines for Certifying Authorities.—
(1) The Certifying Authorities shall have the sole responsibility of integrity, confidentiality and protection of information and information assets employed in its operation, considering classification, declassification, labeling, storage, access and destruction of information assets according to their value, sensitivity and importance of operation. (2) Information Technology Security Guidelines and Security Guidelines for Certifying Authorities aimed at protecting the integrity, confidentiality and availability of service of Certifying Authority are given in Schedule-II and Schedule-III respectively. (3) The Certifying Authority shall formulate its Information Technology and Security Policy for operation complying with these guidelines and submit it to the Controller before commencement of operation: Provided that any change made by the Certifying Authority in the Information Technology and Security Policy shall be submitted by it within two weeks to the Controller.
20. Commencement of Operation by Licensed Certifying Authorities.—
The licensed Certifying Authority shall commence its commercial operation of generation and issue of Digital Signature only after-
(a) it has confirmed to the Controller the adoption of Certification Practice Statement;
(g) make reasonable arrangements for preserving the records for a period of seven years; (h) pay reasonable restitution (not exceeding the cost involved in obtaining the new Digital Signature Certificate) to subscribers for revoking the Digital Signature Certificates before the date of expiry; (i) after the date of expiry mentioned in the licence, the Certifying Authority shall destroy the certificate-signing private key and confirm the date and time of destruction of the private key to the Controller.
22. Database of Certifying Authorities.—
The Controller shall maintain a database of the disclosure record of every Certifying Authority, Cross Certifying Authority and Foreign Certifying Authority, containing inter alia the following details:
(a) the name of the person/names of the Directors, nature of business, Income- tax Permanent Account Number, web address, if any, office and residential address, location of facilities associated with functions of generation of Digital Signature Certificate, voice and facsimile telephone numbers, electronic mail address(es), administrative contacts and authorized representatives; (b) the public key(s), corresponding to the private key(s) used by the Certifying Authority and recognized foreign Certifying Authority to digitally sign Digital Signature Certificate; (c) current and past versions of Certification Practice Statement of Certifying Authority; (d) time stamps indicating the date and time of- (i) grant of licence; (ii) confirmation of adoption of Certification Practice Statement and its earlier versions by Certifying Authority; (iii) commencement of commercial operations of generation and issue of Digital Signature Certificate by the Certifying Authority; (iv) revocation or suspension of licence of Certifying Authority; (v) commencement of operation of Cross Certifying Authority; (vi) issue of recognition of foreign Certifying Authority; (vii) revocation or suspension of recognition of foreign Certifying Authority.
23. Digital Signature Certificate.—
The Certifying Authority shall, for issuing the Digital Signature Certificates, while complying with the provisions of section 35 of the Act, also comply with the following, namely:-
(a) the Digital Signature Certificate shall be issued only after a Digital Signature Certificate application in the form provided by the Certifying Authority has been submitted by the subscriber to the Certifying Authority and the same has been approved by it: Provided that the application Form contains, inter alia , the particulars given in the modal Form given in Schedule-IV;
(b) no interim Digital Signature Certificate shall be issued; (c) the Digital Signature Certificate shall be generated by the Certifying Authority upon receipt of an authorised and validated request for:- (i) new Digital Signature Certificates; (ii) Digital Signature Certificates renewal; (d) the Digital Signature Certificate must contain or incorporate, by reference such information, as is sufficient to locate or identify one or more repositories in which revocation or suspension of the Digital Signature Certificate will be listed, if the Digital Signature Certificate is suspended or revoked; (e) the subscriber identity verification method employed for issuance of Digital Signature Certificate shall be specified in the Certification Practice Statement and shall be subject to the approval of the Controller during the application for a licence; (f) where the Digital Signature Certificate is issued to a person (referred to in this clause as a New Digital Signature Certificate) on the basis of another valid Digital Signature Certificate held by the said person (referred in this clause as an Originating Digital Signature Certificate) and subsequently the originating Digital Signature Certificate has been suspended or revoked, the Certifying Authority that issued the new Digital Signature Certificate shall conduct investigations to determine whether it is necessary to suspend or revoke the new Digital Signature Certificate; (g) the Certifying Authority shall provide a reasonable opportunity for the subscriber to verify the contents of the Digital Signature Certificate before it is accepted;
26. Certificate Lifetime.—
(1) A Digital Signature Certificate,- (a) shall be issued with a designated expiry date; (b) which is suspended shall return to the operational use, if the suspension is withdrawn in accordance with the provisions of section 37 of the Act; (c) shall expire automatically upon reaching the designated expiry date at which time the Digital Signature Certificate shall be archived; (d) on expiry, shall not be re-used. (2) The period for which a Digital Signature Certificate has been issued shall not be extended, but a new Digital Signature Certificate may be issued after the expiry of such period.
27. Archival of Digital Signature Certificate.—
A Certifying Authority shall archive- (a) applications for issue of Digital Signature Certificates; (b) registration and verification documents of generated Digital Signature Certificates; (c) Digital Signature Certificates; (d) notices of suspension; (e) information of suspended Digital Signature Certificates; (f) information of revoked Digital Signature Certificates; (g) expired Digital Signature Certificates, for a minimum period of seven years or for a period in accordance with legal requirement.
28. Compromise of Digital Signature Certificate.—
Digital Signature Certificates in operational use that become compromised shall be revoked in accordance with the procedure defined in the Certification Practice Statement of Certifying Authority.
Explanation : Digital Signature Certificates shall,- (a) be deemed to be compromised where the integrity of:-
(i) the private key associated with the Digital Signature Certificate is in doubt; (ii) the Digital Signature Certificate owner is in doubt, as to the use, or attempted use of his key pairs, or otherwise, for malicious or unlawful purposes; (b) remain in the compromised state for only such time as it takes to arrange for revocation.
29. Revocation of Digital Signature Certificate.—
(1) Digital Signature Certificate shall be revoked and become invalid for any trusted use, where- (a) there is a compromise of the Digital Signature Certificate owner's private key; (b) there is a misuse of the Digital Signature Certificate; (c) there is a misrepresentation or errors in the Digital Signature Certificate; (d) the Digital Signature Certificate is no longer required. (2) The revoked Digital Signature Certificate shall be added to the Certificate Revocation List (CRL).
30. Fees for issue of Digital Signature Certificate.—
(1) The Certifying Authority shall charge such fee for the issue of Digital Signature Certificate as may be prescribed by the Central Government under sub-section (2) of section 35 of the Act. (2) Fee may be payable in respect of access to Certifying Authority's X. directory for certificate downloading. Where fees are payable, Certifying Authority shall provide an up-to-date fee schedule to all its subscribers and users, this may be done by publishing fee schedule on a nominated website. (3) Fees may be payable in respect of access to Certifying Authority's X. directory service for certificate revocation or status information. Where fees are payable, Certifying Authority shall provide an up-to-date fee schedule to all its subscribers and users, this may be done by publishing the fee schedule on a nominated website.
