Digital Signature Controller Authority
This document was uploaded by user and they confirmed that they have the permission to share it. If you are author or own the copyright of this book, please report to us by using this DMCA report form. Report DMCA
Overview
Download & View Digital Signature Controller Authority as PDF for free.
More details
- Words: 4,089
- Pages: 17
Loading documents preview...
INTRODUCTION As per Section 18 of The Information Technology Act, 2000 provides the required legal sanctity to the digital signatures based on asymmetric cryptosystems. The digital signatures are now accepted at par with handwritten signatures and the electronic documents that have been digitally signed are treated at par with paper documents. The IT Act provides for the Controller of Certifying Authorities(CCA) to license and regulate the working of Certifying Authorities. The Certifying Authorities (CAs) issue digital signature certificates for electronic authentication of users. The Controller of Certifying Authorities (CCA) has been appointed by the Central Government under section 17 of the Act for purposes of the IT Act. The Office of the CCA came into existence on November 1, 2000. It aims at promoting the growth of E-Commerce and E- Governance through the wide use of digital signatures. The Controller of Certifying Authorities (CCA) has established the Root Certifying Authority (RCAI) of India under section 18(b) of the IT Act to digitally sign the public keys of Certifying Authorities (CA) in the country. The RCAI is operated as per the standards laid down under the Act. The CCA certifies the public keys of CAs using its own private key, which enables users in the cyberspace to verify that a given certificate is issued by a licensed CA. For this purpose it operates, the Root Certifying Authority of India(RCAI). The CCA also maintains the Repository of Digital Certificates, which contains all the certificates issued to the CAs in the country.
WHO IS THE CONTROLLER OF CERTIFYING AUTHORITIES?? “Section-17:- Appointment of Controller and other officers. (1) The Central Government may, by notification in the Official Gazette, appoint a Controller of Certifying Authorities for the purposes of this Act and may also by the same or subsequent notification appoint such number of Deputy Controllers and Assistant Controllers as it deems fit. (2) The Controller shall discharge his functions under this Act subject to the general control and directions of the Central Government. (3) The Deputy Controllers and Assistant Controllers shall perform the functions assigned to them by the Controller under the general superintendence and control of the Controller. (4) The qualifications, experience and terms and conditions of service of Controller, Deputy Controllers and Assistant Controllers shall be such as may be prescribed by the Central Government. (5) The Head Office and Branch Office of the office of the Controller shall be at such places as the Central Government may specify, and these may be established at such places as the Central Government may think fit. (6) There shall be a seal of the Office of the Controller.”1 The Information Technology Act 2000 (IT Act) provides for the Controller of Certifying Authorities (CCA) to license and regulate the working of Certifying Authorities. The Certifying Authorities (CAs) issue digital signature certificates for electronic authentication of users. The Controller of Certifying Authorities (CCA) is appointed by the Indian Central Government under section 17 of the Act for purposes of the IT Act. The Office of the CCA came into existence on November 1, 2000. It aims at promoting the growth of E-commerce and E-governance through the wide use of digital signatures.
1 THE INFORMATION TECHNOLOGY ACT, 2000; sec-17
The Controller of Certifying Authorities (CCA) has established the Root Certifying Authority of India (RCAI) under section 18(b) of the IT Act to digitally sign the public keys of Certifying Authorities (CA) in the country. The RCAI is operated as per the standards laid down under the IT Act. The CCA certifies the public keys of CAs using its own private key, which enables users in cyberspace to verify that a given certificate is issued by a licensed CA. For this purpose it operates the RCAI. The CCA also maintains the Repository of Digital Certificates, which contains all the certificates issued to the CAs in the country.
POWER AND FUNTIONS OF THE CONTROLLER OF CERTIFYING AUTHORITY: “The Controller may perform all or any of the following functions, namely:— (a) exercising supervision over the activities of the Certifying Authorities; (b) certifying public keys of the Certifying Authorities; (c) laying down the standards to be maintained by the Certifying Authorities; (d) specifying the qualifications and experience which employees of the Certifying Authorities should possess; (e) specifying the conditions subject to which the Certifying Authorities shall conduct their business; (f) specifying the contents of written, printed or visual materials and advertisements that may be distributed or used in respect of a Digital Signature Certificate and the public key; (g) specifying the form and content of a Digital Signature Certificate and the key, (h) specifying the form and manner in which accounts shall be maintained by the Certifying Authorities; (i) specifying the terms and conditions subject to which auditors may be appointed and the remuneration to be paid to them; (j) facilitating the establishment of any electronic system by a Certifying Authority either solely or jointly with other Certifying Authorities and regulation of such systems; (k) specifying the manner in which the Certifying Authorities shall conduct their dealings with the subscribers; (l) resolving any conflict of interests between the Certifying Authorities and the subscribers; (m) laying down the duties of the Certifying Authorities; (n) maintaining a data base containing the disclosure record of every Certifying Authority containing such particulars as may be specified by regulations, which shall be accessible to public.”2 Section 183 enumerates various powers and functions of the Controller of Certifying Authorities (CCA). The Controller's main function is to regulate and control almost every activity of the Certifying Authorities (CA's). Being the apex authority in the PKI hierarchy, a duty is cast upon the Controller to ensure proper working of the Certifying Authorities and to ensure the safety, security 2 THE INFORMATION TECHNOLOGY ACT, 2000; sec-18 3 id
and integrity of electronic signatures. To ensure this the Information Technology Act empowers the Controller of Certifying Authorities to perform certain functions. The Controller is empowered to supervise the activities of the Certifying Authorities (CA). It is the Controller who issues licences to issue Electronic Signature Certificates to the Certifying Authorities. Section 18(a) has to read along with Rule 31(2) of the Information Technology (Certifying Authority Rules, 2000 stipulates that the Certifying Authorities shall conduct half yearly audit of the security policy, physical security and planning of its operations and the repository. The Certifying Authority shall submit copy of each audit report to the Controller within four weeks of the completion of such audit and where irregularities are found, the Certifying Authority shall take immediate appropriate action to remove such Irregularities. The Controller of Certifying Authorities shall certify the public keys of the Certifying Authorities. The Root Certifying Authority of India established by the Controller is entrusted to certify/digitally sign public keys of all certifying authorities in India. The Root Certifying Authority of India (RCAI) is operated as per the standards laid down under the Information Technology Act. The requirements to be satisfied by the RCAI include the following: (a) The license issued to the Certifying Authority is digitally signed by the CCA; (b) All public keys corresponding to the signing private keys of a Certifying Authority are digitally signed by the Controller of Certifying Authorities; (c) That these keys signed by the Controller of Certifying Authorities can be verified by a relying party through the Controller's website or Certifying Authorities own website. The RCAI is operated using Smart-Trust software. Authorized CCA personnel initiate and perform Root Certifying Authority functions in accordance with the Certification Practice Statement of Root Certifying Authority of India. The term Root Certifying Authority is used to refer to the total certifying authority entity, including the software and its operations. It's 'root certificate' is the highest level of certification in India. A root certificate is a self-signed certificate. All certificates below the root certificate inherit the trustworthiness of the root certificate145. Section 18(b) of the Information Technology Act, has to be read along with Rule 20(b) of Information Technology (Certifying Authorities) Rules, 2000. The rule states that, the licensed Certifying Authority
shall commence its commercial operation of generation and issuance of digital signature only after it has generated its key pair, namely, private and corresponding public key, and submitted the public key to the Controller. One of the main functions of the Controller is to lay down standards to be maintained by the Certifying Authorities. Information technology architecture may support open standards and accepted defacto standards. However, Rule 6 of the Information Technology (Certifying Authorities) Rules, 2000prescribed certain standards to be followed for different activities associated with the Certifying Authorities functions. Rule 7 of the Information Technology (Certifying Authorities) Rules, 2000, deals with Digital Signature Certificate Standard.4
PAKISTAN The ministry of Information Technology, in line with the National IT Policy and the Electronic Transaction Ordinance, 2002 setup an Accreditation Council for Certificate Authorities (CAs) in 2002. The council acts as a regulating authority for all the Certifying Authority in Pakistan. Also, before this ordinance in 2002 there was only one Certifying Authority, NIFT National ICT and R&D Fund. After this ordinance, many C.A. were formed. At present there are in total 13 Certifying Authority, Namely:1 2 3 4 5 6 7 8 9
National ICT R&D Fund Electronic Government Directorate (EGD) Electronic Certification Accreditation Council (ECAC) National Telecommunication Corporation (NTC) Pakistan Computer Bureau (PCB) Pakistan Software Export Board (PSEB) Pakistan Telecommunications Company Limited (PTCL) Paknetd Pakistan Telecommunications Mobile Limited (PTML – Ufone)
4 “Authorities Under I.T.Act, 2000: With Special Reference To Cyber Appellate Tribunal In India” Jamshed Ansari Asstt. Professor (Guest Faculty), Faculty of Law, University of Delhi, Delhi (INDIA)
10 Special Communication Organization (SCO) 11 Telecom Foundation (TF) 12 Universal Service Fund (USF) 13 Virtual University (VU) BANGLADESH As a signatory of World Trade Organization, Bangladesh has accepted the Code of Good Practice of the WTO Agreement on Removing Relying Party Certification Authority Certification Policy (CP) Certification Practice Statement (CPS) Certificate Holder Secured Connection Certificate verification Certificate issue and management Relying Party Information (RPI) Digital Identity Agreement (DIA) IIUC Studies, Vol. 6 116 Technical Barriers to Trade.5 As part of ongoing legal framework development in an attempt to keep pace with globalization, Bangladesh has enacted Information Technology Act in 2006. The object of the legislation, inter alia , is to facilitate electronic commerce, to eliminate barriers to electronic commerce resulting from uncertainties over writing and signature requirements, and to promote the development of the legal and business infrastructure necessary to implement secure electronic commerce and to promote public confidence in the integrity and reliability of electronic records and electronic commerce, and to foster the development of electronic commerce through the use of electronic signatures to lend authenticity and integrity to correspondence in any electronic medium.6 It is evident that Information Technology Act 2006, hereinafter as The Act, has given legal recognition to digital signatures in order to bring digital signature under complete legal and evidential scrutiny.
Certifying Authorities Controller The government may appoint Controller, Deputy Controller and Assistant Controller of Certifying Authorities. The Controller is the highest authority to supervise and validate the CAs. The Controller is responsible to specify the 5 Hossain, Najmul, E-Commerce in Bangladesh: Status, Potential and Constraints, JOBS Report, 2000, p 2, retrieved from http://www.jobsproject.org/content/publication/ECommerce_in_Bangladesh_status.pdf last visited on January 27, 2010. 6 Final Report on The Law on Information Technology, Bangladesh Law Commission, P 3, retrieved from http://www.lawcommissionbangladesh.org/wplit.html.
rules and methods under which CAs will function. It will establish databases of disclosure issued by Certifying Authorities and perform all other functions in order to ascertain the system of Public Key Infrastructure work properly.7The Controller has authority to recognize foreign CAs by following rules established under the Act.8 It will act as repository of all Certificates issued. Certifying Authorities are generally private entities. They have to obtain license and must comply with strict requirements set by law. The Controller issues such silences after scrutinizing application for silences. The license is subject to suspension and revocation. The application should accompany a certificate practice statement, a statement including the procedures with respect to identification of the applicant, requisite fees and other documents.9 U.S.A The ESIGN Act, signed by President Bill Clinton on June 30, 2000, granted electronic signatures the same legal status as handwritten signatures throughout the United States. Electronic signatures greatly simplify the way companies gather, track and manage signatures and approvals. The terms issuing authority or certificate issuer are sometimes used to refer to what these Guidelines call a certification authority. The two terms are closely synonymous10. “Certification authority:- A person who issues a certificate”11. Quality assurance should be a principal concern in selecting and utilizing certification authorities. Governmental regulation, professional accreditation, 7 Section 18 and 19 of Information Technology Law , 2006. 8 Id. Section 20 9 Id. Sections 22 to 26 10 https://acrobat.adobe.com/content/dam/doccloud/en/pdfs/dc_esignatures_us_overview_ue.pdf 11 Information Security Committee Electronic Commerce and Information Technology Division Section of Science and Technology American Bar Association 8 1995, 1996 American Bar Association.
trade usage, auditing, and liability for negligent errors and omissions are examples of approaches toward assuring quality in certification authority practice. Subject to applicable law, any person who undertakes the functions of a certification authority under these Guidelines may become a certification authority. The level of authority and reliance to be accorded to the certificates of the certification authority will be determined in part by the experience and reputation of the certification authority, and in part from the material presented in the certification practice statement. Those who seek a low level of responsibility to protect transactions of minor value or limited risk may accept a certificate of lower level assurance from a certification authority of unknown reputation. Those who seek the highest level of responsibility to protect transactions of high value and severe risk will obtain certificates providing the highest level of assurance, from certification authorities whose experience has earned them the highest respect.12 A notaire or CyberNotaryK may be a certification authority, and serving as a certification authority may well be a natural. CyberNotariesK are attorneys at law admitted to practice in the United States and qualified to act as a CyberNotaryK pursuant to specialization rules currently under development in the CyberNotaryK Committee, Section of Science and Technology of the American Bar Association. A CyberNotaryK function mirrors that of a notaire, and is focused primarily on practice in international, computer-based transactions. Under the planned specialization rules, a CyberNotaryK would possess technical expertise to facilitate computer-based transactions requiring a high level of certification, authentication, or other information security services. It is proposed that a CyberNotaryK would be required to meet a level of qualification as a legal professional commensurate with that of a notaire, be a member in good standing of the bar of a state or territory of the United States, the District of Columbia, or Puerto Rico, be a member of the American Bar Association, and demonstrate technical competence in computer-based business transactions. For further information, contact the CyberNotaryK Committee, Section of Science and Technology, of the American Bar Association. 12Sec-1.7; Information Security Committee, Section of Science & Technology, American Bar Association.
Moreover, notaires and CyberNotariesK provide important adjunct services in addition to assuring the validity of a signature; for example, a notarial authentication in certain legal systems assures the validity and legal efficacy of the transaction itself, not merely its signatures. Notaires and CyberNotariesK, therefore, may be well suited to serving as certification authorities, subject, of course, to satisfaction of the standards of training and practice required of all certification authorities by (AA certification authority must utilize trustworthy systems in performing its services) the definition of computer hardware, software and procedures which meet the test of a trustworthy system. The U.S. Federal Public Key Infrasture and the Federal Bridge Certification Authority Peter Alterman, Ph.D.Senior Advisor to the Chair, Federal PKI Steering Committee and Acting Director, Federal Bridge Certification Authority. The Goals of the U.S. Federal PKI A cross-governmental, ubiquitous, interoperable Public Key Infrastructure. The development and use of applications which employ that PKI in support of Agency business processes
The U.S. Federal Bridge Certification Authority (FBCA): Designed to create trust paths among individual Agency PKIs Employs a distributed - NOT a hierarchical - model Commercial CA products participate within the membrane of the Bridge Develops cross-certificates within the membrane to bridge the gap among dissimilar products EXAMPLES OF CERTIFYING AYTHORITIES:
Thawte Thawte is a leading global Certification Authority. Our SSL and code signing digital certificates are used globally to secure servers, provide data encryption, authenticate users, protect privacy and assure online identifies through stringent authentication and verification processes. Our SSL certificates include Wildcard SSL Certificates, SAN /UC Certificates, SGC SuperCerts and Extended Validation SSL Certificates. Entrust SSL Server Certificates SSL (Secure Sockets Layer) is a cryptographic protocol that establishes a secure connection between a client application and a server on the Internet or other network. An SSL certificate (or digital certificate) indicates that an encryption algorithm is being used to ensure that only intended parties are the recipient of a data transmission. For this reason, SSL certificates or Transport Layer Security (TLS) certificates are one of the hallmarks of a solid e-commerce foundation and the de facto industry standard for protecting information from unauthorized access. In short, SSL certificates help build customer trust and website reputation by safeguarding Internet transactions. Verisign VeriSign Authentication Services, now part of Symantec Corp. (NASDAQ: SYMC), provides solutions that allow companies and consumers to engage in communications and commerce online with confidence. VeriSign Authentication Services include SSL, SSL Certificates, Extended Validation (EV SSL), VeriSign Trust Seal, two-factor authentication, identity protection, malware scan, code signing and public key infrastructure (PKI). Symantec products include Norton antivirus software, Norton internet security solutions for small business, and PC Tools.
Globalsign
GlobalSign Inc offers online security services and has been operating a trusted Root Certificate Authority since 1996. GlobalSign Digital Certificates are trusted by all popular Browsers, Operating Systems, Mobile Devices and Applications and include SSL Server Certificates, Extended Validation SSL, Code Signing, Adobe CDS, Email & Authentication Digital IDs, Enterprise PKI and Certificate Authority root signing for Microsoft Certificate Services / Enterprise CA. MALAYSIA In a public-key infrastructure scheme, Certification Authorities play a very prominent role. As trusted third parties, Certification Authorities certifies and identifies users electronically by issuing electronic identification certificates. For a digital signature to enjoy legal status, it must be certified by a Certification Authority. In Malaysia, licensing of Certification Authority is mandatory.13 At the moment, DigiCert is the only licensed Certification Authority in Malaysia. This approach is adopted so that there is uniformity in the certification industry, and that regulation of digital signatures can be done more effectively. (Annamalai; 1997) although (Alkeniz; 1997) argued that licensing TTP, instead of increasing security, will in fact make electronic commerce less secure. Therefore, in Malaysia, a digital signature is legally valid only if it is certified by a licensed Certification Authority. In fact, it is an offence to carry on or operate, or hold out as Certification Authority, unless that person holds a valid licensed under the Act. Upon conviction, it may be liable to a fine not exceeding five hundred thousand ringgit or to imprisonment for a term not exceeding ten years or both.14 Although in Malaysia, licensing of Certification Authority is mandatory, this does not mean that a certificate issued by an unlicensed Certification Authority is invalid. In fact, the Act specifically provides that the licensing requirements under the Act shall not affect the effectiveness, enforceability and validity of any digital signatures.15 The Act further provides that the liability limits for certification authorities and 13 s. 4(1) OF DIGITAL SIGNATURE ACT,1997 14 s. 4(2) DIGITAL SIGNATURE ACT,1997 15SEC-13(2 ,) DIGITAL SIGNATURE ACT,1997
the effect of digital signatures, as provided for under the Act, shall not apply to unlicensed Certification Authorities. Therefore, if an unlicensed Certification Authority is used, the validity of the digital signatures would be governed by a contract between the contracting parties, instead of the Malaysia DSA. The Singapore ETA adopts a different approach. Licensing under the Singapore ETA is voluntary so that closed network may use their unlicensed Certification Authority. (Ter; 1999) But, It is not correct to assume that Unlicensed Certification Authority is not regulated. (Seng; 1999) They would still have to abide with other relevant provision of the Singapore ETA, such as the duties of certification authorities. In Singapore, digital certificates are recognised if there are issued by three bodies; licensed Certification Authorities, foreign Certification Authorities recognised by the Controller of Certification Authority16, Government Department or Ministries approved by the Minister and the parties may expressly agree between themselves to use digital signature which is property verified by reference to the sender's public key.17 RUSSIA Certification of e-signature technology is a lengthy process in Russia and may require, among other things, decompiling the certifiable software. In the meantime, users often run foreign-made e-signature technology, the certification of which is impracticable economically or organizationally. It should therefore be admitted that the statutorily required certification of esignature technology substantially limits user options offered to electronic document flow agents, and is a serious obstacle to wider use of e-signatures in Russian business practice. At present, the authorized government body is the Federal Agency for Information Technology (FAIT) operating within the Russian Federation Ministry for Information Technology and Telecommunications.18 FAIT 16 s. 43 , Electronic Transaction Act 17 s. 20(b)(iv) ELECTRONIC TRANSACTION ACT 18 Resolution No. 319 of the Russian Federation Government On Approval of the Regulations of the Federal Agency for Information Technology of June 30, 2004. The web site of FAIT in Russian is located at http://www.minsvyaz.ru/site.shtml?id=2873. Information in English is only available in regard to the Ministry itself http://english.minsvyaz.ru/enter.shtml.
maintains an official register of digital signature key certificates which the certifying centers verify the certificates they issue. The agency provides free access to this register and issued the key certificates of the digital signatures of respective authorized officers of the certifying centers. The E-Signature Law, which sets forth the duties that certifying centers owe to the holders of digital signature key certificates, is silent on the centers’ responsibility for the accuracy and validity of the certificates and the centers’ liability for damages caused to any individuals, legal entities or organizations which have reasonably relied on such certificates.19 The only sanction the Law provides is the possibility of placing liability for losses, caused in connection with the generation of digital signature keys using uncertified digital signature technology, on the producers and distributors of such technology. It should also be noted that the Law does not name among the duties which certifying centers owe to digital signature certificate holders, the substantial duty of keeping the private keys secret when the certifying centers generate such keys at the certificate holders’ requests.20
19 The obligation to provide such liability is established for the European countries, for example, by Directive 1999/93/EC of the European Parliament and of the Council of 13 December 1999 on a Community framework for electronic signatures Official Journal L 013, 19/01/2000 p. 0012 – 0020 available in electronic format at http://www.ict.etsi.org/EESSI/Documents/e-sign-directive.pdf. 20 Article 11 of the E-Signature Law.
CONCLUSION A certificate authority (CA) is a trusted entity that issues electronic documents that verify a digital entity’s identity on the Internet. The electronic documents, which are called digital certificates, are an essential part of secure communication and play an important part in the public key infrastructure (PKI). Certificates typically include the owner's public key, the expiration date of the certificate, the owner's name and other information about the public key owner. Operating systems (OSes) and browsers maintain lists of trusted CA root certificates to verify certificates that a CA has issued and signed. In cryptography, a certificate authority or certification authority (CA) is an entity that issues digital certificates. A digital certificate certifies the ownership of a public key by the named subject of the certificate. This allows others (relying parties) to rely upon signatures or on assertions made about the private key that corresponds to the certified public key. In this model of trust relationships, a CA is a trusted third party—trusted both by the subject (owner) of the certificate and by the party relying upon the certificate. The most commonly encountered public-key infrastructure (PKI) schemes are those used to implement https on the world-wide web.
BIBLIOGRAPHY REFRENCES:-
http://archive.mu.ac.in/myweb_test/SYBA%20Study %20Material.pdf http://www.academia.edu www.researchgates.net www.wikieducator.com
BOOKS:-
Information Technology Law And Practice by Vakul Sharma
CONTENTS INTRODUCTION WHO IS THE CONTROLLER OF CERTIFYING AUTHORITIES POWER AND FUNCTIONS OF CERTIFYING AUTHORITIES IN REFERENCE TO: PAKISTAN BANGLADESH U.S.A MALAYSIA RUSSIA CONCLUSION BIBLIOGRAPHY
WHO IS THE CONTROLLER OF CERTIFYING AUTHORITIES?? “Section-17:- Appointment of Controller and other officers. (1) The Central Government may, by notification in the Official Gazette, appoint a Controller of Certifying Authorities for the purposes of this Act and may also by the same or subsequent notification appoint such number of Deputy Controllers and Assistant Controllers as it deems fit. (2) The Controller shall discharge his functions under this Act subject to the general control and directions of the Central Government. (3) The Deputy Controllers and Assistant Controllers shall perform the functions assigned to them by the Controller under the general superintendence and control of the Controller. (4) The qualifications, experience and terms and conditions of service of Controller, Deputy Controllers and Assistant Controllers shall be such as may be prescribed by the Central Government. (5) The Head Office and Branch Office of the office of the Controller shall be at such places as the Central Government may specify, and these may be established at such places as the Central Government may think fit. (6) There shall be a seal of the Office of the Controller.”1 The Information Technology Act 2000 (IT Act) provides for the Controller of Certifying Authorities (CCA) to license and regulate the working of Certifying Authorities. The Certifying Authorities (CAs) issue digital signature certificates for electronic authentication of users. The Controller of Certifying Authorities (CCA) is appointed by the Indian Central Government under section 17 of the Act for purposes of the IT Act. The Office of the CCA came into existence on November 1, 2000. It aims at promoting the growth of E-commerce and E-governance through the wide use of digital signatures.
1 THE INFORMATION TECHNOLOGY ACT, 2000; sec-17
The Controller of Certifying Authorities (CCA) has established the Root Certifying Authority of India (RCAI) under section 18(b) of the IT Act to digitally sign the public keys of Certifying Authorities (CA) in the country. The RCAI is operated as per the standards laid down under the IT Act. The CCA certifies the public keys of CAs using its own private key, which enables users in cyberspace to verify that a given certificate is issued by a licensed CA. For this purpose it operates the RCAI. The CCA also maintains the Repository of Digital Certificates, which contains all the certificates issued to the CAs in the country.
POWER AND FUNTIONS OF THE CONTROLLER OF CERTIFYING AUTHORITY: “The Controller may perform all or any of the following functions, namely:— (a) exercising supervision over the activities of the Certifying Authorities; (b) certifying public keys of the Certifying Authorities; (c) laying down the standards to be maintained by the Certifying Authorities; (d) specifying the qualifications and experience which employees of the Certifying Authorities should possess; (e) specifying the conditions subject to which the Certifying Authorities shall conduct their business; (f) specifying the contents of written, printed or visual materials and advertisements that may be distributed or used in respect of a Digital Signature Certificate and the public key; (g) specifying the form and content of a Digital Signature Certificate and the key, (h) specifying the form and manner in which accounts shall be maintained by the Certifying Authorities; (i) specifying the terms and conditions subject to which auditors may be appointed and the remuneration to be paid to them; (j) facilitating the establishment of any electronic system by a Certifying Authority either solely or jointly with other Certifying Authorities and regulation of such systems; (k) specifying the manner in which the Certifying Authorities shall conduct their dealings with the subscribers; (l) resolving any conflict of interests between the Certifying Authorities and the subscribers; (m) laying down the duties of the Certifying Authorities; (n) maintaining a data base containing the disclosure record of every Certifying Authority containing such particulars as may be specified by regulations, which shall be accessible to public.”2 Section 183 enumerates various powers and functions of the Controller of Certifying Authorities (CCA). The Controller's main function is to regulate and control almost every activity of the Certifying Authorities (CA's). Being the apex authority in the PKI hierarchy, a duty is cast upon the Controller to ensure proper working of the Certifying Authorities and to ensure the safety, security 2 THE INFORMATION TECHNOLOGY ACT, 2000; sec-18 3 id
and integrity of electronic signatures. To ensure this the Information Technology Act empowers the Controller of Certifying Authorities to perform certain functions. The Controller is empowered to supervise the activities of the Certifying Authorities (CA). It is the Controller who issues licences to issue Electronic Signature Certificates to the Certifying Authorities. Section 18(a) has to read along with Rule 31(2) of the Information Technology (Certifying Authority Rules, 2000 stipulates that the Certifying Authorities shall conduct half yearly audit of the security policy, physical security and planning of its operations and the repository. The Certifying Authority shall submit copy of each audit report to the Controller within four weeks of the completion of such audit and where irregularities are found, the Certifying Authority shall take immediate appropriate action to remove such Irregularities. The Controller of Certifying Authorities shall certify the public keys of the Certifying Authorities. The Root Certifying Authority of India established by the Controller is entrusted to certify/digitally sign public keys of all certifying authorities in India. The Root Certifying Authority of India (RCAI) is operated as per the standards laid down under the Information Technology Act. The requirements to be satisfied by the RCAI include the following: (a) The license issued to the Certifying Authority is digitally signed by the CCA; (b) All public keys corresponding to the signing private keys of a Certifying Authority are digitally signed by the Controller of Certifying Authorities; (c) That these keys signed by the Controller of Certifying Authorities can be verified by a relying party through the Controller's website or Certifying Authorities own website. The RCAI is operated using Smart-Trust software. Authorized CCA personnel initiate and perform Root Certifying Authority functions in accordance with the Certification Practice Statement of Root Certifying Authority of India. The term Root Certifying Authority is used to refer to the total certifying authority entity, including the software and its operations. It's 'root certificate' is the highest level of certification in India. A root certificate is a self-signed certificate. All certificates below the root certificate inherit the trustworthiness of the root certificate145. Section 18(b) of the Information Technology Act, has to be read along with Rule 20(b) of Information Technology (Certifying Authorities) Rules, 2000. The rule states that, the licensed Certifying Authority
shall commence its commercial operation of generation and issuance of digital signature only after it has generated its key pair, namely, private and corresponding public key, and submitted the public key to the Controller. One of the main functions of the Controller is to lay down standards to be maintained by the Certifying Authorities. Information technology architecture may support open standards and accepted defacto standards. However, Rule 6 of the Information Technology (Certifying Authorities) Rules, 2000prescribed certain standards to be followed for different activities associated with the Certifying Authorities functions. Rule 7 of the Information Technology (Certifying Authorities) Rules, 2000, deals with Digital Signature Certificate Standard.4
PAKISTAN The ministry of Information Technology, in line with the National IT Policy and the Electronic Transaction Ordinance, 2002 setup an Accreditation Council for Certificate Authorities (CAs) in 2002. The council acts as a regulating authority for all the Certifying Authority in Pakistan. Also, before this ordinance in 2002 there was only one Certifying Authority, NIFT National ICT and R&D Fund. After this ordinance, many C.A. were formed. At present there are in total 13 Certifying Authority, Namely:1 2 3 4 5 6 7 8 9
National ICT R&D Fund Electronic Government Directorate (EGD) Electronic Certification Accreditation Council (ECAC) National Telecommunication Corporation (NTC) Pakistan Computer Bureau (PCB) Pakistan Software Export Board (PSEB) Pakistan Telecommunications Company Limited (PTCL) Paknetd Pakistan Telecommunications Mobile Limited (PTML – Ufone)
4 “Authorities Under I.T.Act, 2000: With Special Reference To Cyber Appellate Tribunal In India” Jamshed Ansari Asstt. Professor (Guest Faculty), Faculty of Law, University of Delhi, Delhi (INDIA)
10 Special Communication Organization (SCO) 11 Telecom Foundation (TF) 12 Universal Service Fund (USF) 13 Virtual University (VU) BANGLADESH As a signatory of World Trade Organization, Bangladesh has accepted the Code of Good Practice of the WTO Agreement on Removing Relying Party Certification Authority Certification Policy (CP) Certification Practice Statement (CPS) Certificate Holder Secured Connection Certificate verification Certificate issue and management Relying Party Information (RPI) Digital Identity Agreement (DIA) IIUC Studies, Vol. 6 116 Technical Barriers to Trade.5 As part of ongoing legal framework development in an attempt to keep pace with globalization, Bangladesh has enacted Information Technology Act in 2006. The object of the legislation, inter alia , is to facilitate electronic commerce, to eliminate barriers to electronic commerce resulting from uncertainties over writing and signature requirements, and to promote the development of the legal and business infrastructure necessary to implement secure electronic commerce and to promote public confidence in the integrity and reliability of electronic records and electronic commerce, and to foster the development of electronic commerce through the use of electronic signatures to lend authenticity and integrity to correspondence in any electronic medium.6 It is evident that Information Technology Act 2006, hereinafter as The Act, has given legal recognition to digital signatures in order to bring digital signature under complete legal and evidential scrutiny.
Certifying Authorities Controller The government may appoint Controller, Deputy Controller and Assistant Controller of Certifying Authorities. The Controller is the highest authority to supervise and validate the CAs. The Controller is responsible to specify the 5 Hossain, Najmul, E-Commerce in Bangladesh: Status, Potential and Constraints, JOBS Report, 2000, p 2, retrieved from http://www.jobsproject.org/content/publication/ECommerce_in_Bangladesh_status.pdf last visited on January 27, 2010. 6 Final Report on The Law on Information Technology, Bangladesh Law Commission, P 3, retrieved from http://www.lawcommissionbangladesh.org/wplit.html.
rules and methods under which CAs will function. It will establish databases of disclosure issued by Certifying Authorities and perform all other functions in order to ascertain the system of Public Key Infrastructure work properly.7The Controller has authority to recognize foreign CAs by following rules established under the Act.8 It will act as repository of all Certificates issued. Certifying Authorities are generally private entities. They have to obtain license and must comply with strict requirements set by law. The Controller issues such silences after scrutinizing application for silences. The license is subject to suspension and revocation. The application should accompany a certificate practice statement, a statement including the procedures with respect to identification of the applicant, requisite fees and other documents.9 U.S.A The ESIGN Act, signed by President Bill Clinton on June 30, 2000, granted electronic signatures the same legal status as handwritten signatures throughout the United States. Electronic signatures greatly simplify the way companies gather, track and manage signatures and approvals. The terms issuing authority or certificate issuer are sometimes used to refer to what these Guidelines call a certification authority. The two terms are closely synonymous10. “Certification authority:- A person who issues a certificate”11. Quality assurance should be a principal concern in selecting and utilizing certification authorities. Governmental regulation, professional accreditation, 7 Section 18 and 19 of Information Technology Law , 2006. 8 Id. Section 20 9 Id. Sections 22 to 26 10 https://acrobat.adobe.com/content/dam/doccloud/en/pdfs/dc_esignatures_us_overview_ue.pdf 11 Information Security Committee Electronic Commerce and Information Technology Division Section of Science and Technology American Bar Association 8 1995, 1996 American Bar Association.
trade usage, auditing, and liability for negligent errors and omissions are examples of approaches toward assuring quality in certification authority practice. Subject to applicable law, any person who undertakes the functions of a certification authority under these Guidelines may become a certification authority. The level of authority and reliance to be accorded to the certificates of the certification authority will be determined in part by the experience and reputation of the certification authority, and in part from the material presented in the certification practice statement. Those who seek a low level of responsibility to protect transactions of minor value or limited risk may accept a certificate of lower level assurance from a certification authority of unknown reputation. Those who seek the highest level of responsibility to protect transactions of high value and severe risk will obtain certificates providing the highest level of assurance, from certification authorities whose experience has earned them the highest respect.12 A notaire or CyberNotaryK may be a certification authority, and serving as a certification authority may well be a natural. CyberNotariesK are attorneys at law admitted to practice in the United States and qualified to act as a CyberNotaryK pursuant to specialization rules currently under development in the CyberNotaryK Committee, Section of Science and Technology of the American Bar Association. A CyberNotaryK function mirrors that of a notaire, and is focused primarily on practice in international, computer-based transactions. Under the planned specialization rules, a CyberNotaryK would possess technical expertise to facilitate computer-based transactions requiring a high level of certification, authentication, or other information security services. It is proposed that a CyberNotaryK would be required to meet a level of qualification as a legal professional commensurate with that of a notaire, be a member in good standing of the bar of a state or territory of the United States, the District of Columbia, or Puerto Rico, be a member of the American Bar Association, and demonstrate technical competence in computer-based business transactions. For further information, contact the CyberNotaryK Committee, Section of Science and Technology, of the American Bar Association. 12Sec-1.7; Information Security Committee, Section of Science & Technology, American Bar Association.
Moreover, notaires and CyberNotariesK provide important adjunct services in addition to assuring the validity of a signature; for example, a notarial authentication in certain legal systems assures the validity and legal efficacy of the transaction itself, not merely its signatures. Notaires and CyberNotariesK, therefore, may be well suited to serving as certification authorities, subject, of course, to satisfaction of the standards of training and practice required of all certification authorities by (AA certification authority must utilize trustworthy systems in performing its services) the definition of computer hardware, software and procedures which meet the test of a trustworthy system. The U.S. Federal Public Key Infrasture and the Federal Bridge Certification Authority Peter Alterman, Ph.D.Senior Advisor to the Chair, Federal PKI Steering Committee and Acting Director, Federal Bridge Certification Authority. The Goals of the U.S. Federal PKI A cross-governmental, ubiquitous, interoperable Public Key Infrastructure. The development and use of applications which employ that PKI in support of Agency business processes
The U.S. Federal Bridge Certification Authority (FBCA): Designed to create trust paths among individual Agency PKIs Employs a distributed - NOT a hierarchical - model Commercial CA products participate within the membrane of the Bridge Develops cross-certificates within the membrane to bridge the gap among dissimilar products EXAMPLES OF CERTIFYING AYTHORITIES:
Thawte Thawte is a leading global Certification Authority. Our SSL and code signing digital certificates are used globally to secure servers, provide data encryption, authenticate users, protect privacy and assure online identifies through stringent authentication and verification processes. Our SSL certificates include Wildcard SSL Certificates, SAN /UC Certificates, SGC SuperCerts and Extended Validation SSL Certificates. Entrust SSL Server Certificates SSL (Secure Sockets Layer) is a cryptographic protocol that establishes a secure connection between a client application and a server on the Internet or other network. An SSL certificate (or digital certificate) indicates that an encryption algorithm is being used to ensure that only intended parties are the recipient of a data transmission. For this reason, SSL certificates or Transport Layer Security (TLS) certificates are one of the hallmarks of a solid e-commerce foundation and the de facto industry standard for protecting information from unauthorized access. In short, SSL certificates help build customer trust and website reputation by safeguarding Internet transactions. Verisign VeriSign Authentication Services, now part of Symantec Corp. (NASDAQ: SYMC), provides solutions that allow companies and consumers to engage in communications and commerce online with confidence. VeriSign Authentication Services include SSL, SSL Certificates, Extended Validation (EV SSL), VeriSign Trust Seal, two-factor authentication, identity protection, malware scan, code signing and public key infrastructure (PKI). Symantec products include Norton antivirus software, Norton internet security solutions for small business, and PC Tools.
Globalsign
GlobalSign Inc offers online security services and has been operating a trusted Root Certificate Authority since 1996. GlobalSign Digital Certificates are trusted by all popular Browsers, Operating Systems, Mobile Devices and Applications and include SSL Server Certificates, Extended Validation SSL, Code Signing, Adobe CDS, Email & Authentication Digital IDs, Enterprise PKI and Certificate Authority root signing for Microsoft Certificate Services / Enterprise CA. MALAYSIA In a public-key infrastructure scheme, Certification Authorities play a very prominent role. As trusted third parties, Certification Authorities certifies and identifies users electronically by issuing electronic identification certificates. For a digital signature to enjoy legal status, it must be certified by a Certification Authority. In Malaysia, licensing of Certification Authority is mandatory.13 At the moment, DigiCert is the only licensed Certification Authority in Malaysia. This approach is adopted so that there is uniformity in the certification industry, and that regulation of digital signatures can be done more effectively. (Annamalai; 1997) although (Alkeniz; 1997) argued that licensing TTP, instead of increasing security, will in fact make electronic commerce less secure. Therefore, in Malaysia, a digital signature is legally valid only if it is certified by a licensed Certification Authority. In fact, it is an offence to carry on or operate, or hold out as Certification Authority, unless that person holds a valid licensed under the Act. Upon conviction, it may be liable to a fine not exceeding five hundred thousand ringgit or to imprisonment for a term not exceeding ten years or both.14 Although in Malaysia, licensing of Certification Authority is mandatory, this does not mean that a certificate issued by an unlicensed Certification Authority is invalid. In fact, the Act specifically provides that the licensing requirements under the Act shall not affect the effectiveness, enforceability and validity of any digital signatures.15 The Act further provides that the liability limits for certification authorities and 13 s. 4(1) OF DIGITAL SIGNATURE ACT,1997 14 s. 4(2) DIGITAL SIGNATURE ACT,1997 15SEC-13(2 ,) DIGITAL SIGNATURE ACT,1997
the effect of digital signatures, as provided for under the Act, shall not apply to unlicensed Certification Authorities. Therefore, if an unlicensed Certification Authority is used, the validity of the digital signatures would be governed by a contract between the contracting parties, instead of the Malaysia DSA. The Singapore ETA adopts a different approach. Licensing under the Singapore ETA is voluntary so that closed network may use their unlicensed Certification Authority. (Ter; 1999) But, It is not correct to assume that Unlicensed Certification Authority is not regulated. (Seng; 1999) They would still have to abide with other relevant provision of the Singapore ETA, such as the duties of certification authorities. In Singapore, digital certificates are recognised if there are issued by three bodies; licensed Certification Authorities, foreign Certification Authorities recognised by the Controller of Certification Authority16, Government Department or Ministries approved by the Minister and the parties may expressly agree between themselves to use digital signature which is property verified by reference to the sender's public key.17 RUSSIA Certification of e-signature technology is a lengthy process in Russia and may require, among other things, decompiling the certifiable software. In the meantime, users often run foreign-made e-signature technology, the certification of which is impracticable economically or organizationally. It should therefore be admitted that the statutorily required certification of esignature technology substantially limits user options offered to electronic document flow agents, and is a serious obstacle to wider use of e-signatures in Russian business practice. At present, the authorized government body is the Federal Agency for Information Technology (FAIT) operating within the Russian Federation Ministry for Information Technology and Telecommunications.18 FAIT 16 s. 43 , Electronic Transaction Act 17 s. 20(b)(iv) ELECTRONIC TRANSACTION ACT 18 Resolution No. 319 of the Russian Federation Government On Approval of the Regulations of the Federal Agency for Information Technology of June 30, 2004. The web site of FAIT in Russian is located at http://www.minsvyaz.ru/site.shtml?id=2873. Information in English is only available in regard to the Ministry itself http://english.minsvyaz.ru/enter.shtml.
maintains an official register of digital signature key certificates which the certifying centers verify the certificates they issue. The agency provides free access to this register and issued the key certificates of the digital signatures of respective authorized officers of the certifying centers. The E-Signature Law, which sets forth the duties that certifying centers owe to the holders of digital signature key certificates, is silent on the centers’ responsibility for the accuracy and validity of the certificates and the centers’ liability for damages caused to any individuals, legal entities or organizations which have reasonably relied on such certificates.19 The only sanction the Law provides is the possibility of placing liability for losses, caused in connection with the generation of digital signature keys using uncertified digital signature technology, on the producers and distributors of such technology. It should also be noted that the Law does not name among the duties which certifying centers owe to digital signature certificate holders, the substantial duty of keeping the private keys secret when the certifying centers generate such keys at the certificate holders’ requests.20
19 The obligation to provide such liability is established for the European countries, for example, by Directive 1999/93/EC of the European Parliament and of the Council of 13 December 1999 on a Community framework for electronic signatures Official Journal L 013, 19/01/2000 p. 0012 – 0020 available in electronic format at http://www.ict.etsi.org/EESSI/Documents/e-sign-directive.pdf. 20 Article 11 of the E-Signature Law.
CONCLUSION A certificate authority (CA) is a trusted entity that issues electronic documents that verify a digital entity’s identity on the Internet. The electronic documents, which are called digital certificates, are an essential part of secure communication and play an important part in the public key infrastructure (PKI). Certificates typically include the owner's public key, the expiration date of the certificate, the owner's name and other information about the public key owner. Operating systems (OSes) and browsers maintain lists of trusted CA root certificates to verify certificates that a CA has issued and signed. In cryptography, a certificate authority or certification authority (CA) is an entity that issues digital certificates. A digital certificate certifies the ownership of a public key by the named subject of the certificate. This allows others (relying parties) to rely upon signatures or on assertions made about the private key that corresponds to the certified public key. In this model of trust relationships, a CA is a trusted third party—trusted both by the subject (owner) of the certificate and by the party relying upon the certificate. The most commonly encountered public-key infrastructure (PKI) schemes are those used to implement https on the world-wide web.
BIBLIOGRAPHY REFRENCES:-
http://archive.mu.ac.in/myweb_test/SYBA%20Study %20Material.pdf http://www.academia.edu www.researchgates.net www.wikieducator.com
BOOKS:-
Information Technology Law And Practice by Vakul Sharma
CONTENTS INTRODUCTION WHO IS THE CONTROLLER OF CERTIFYING AUTHORITIES POWER AND FUNCTIONS OF CERTIFYING AUTHORITIES IN REFERENCE TO: PAKISTAN BANGLADESH U.S.A MALAYSIA RUSSIA CONCLUSION BIBLIOGRAPHY
Related Documents
Digital Signature Controller Authority
February 2021 1
A Digital Signature
February 2021 0
Concept Of Digital Signature
January 2021 1
Digital Signature Project Report
February 2021 1
10. Case Study Digital Signature
January 2021 0
Digital Signature In Adobe Forms_fiori
March 2021 0More Documents from "Adaikalam Alexander Rayappa"