- NOTIFICATION
- 1.Short title and commencement
- 2. Definitions
- 3. The manner in which information be authenticated by means of Digital Signature
- 4.Creation of Digital Signature
- 5.Verification of Digital Signature
- 6. Standards
- 7. Digital Signature Certificate Standard
- 8. Licensing of Certifying Authorities
- 9.Location of the Facilities
- 10.Submission of Application
- 11. Fee
- 12. Cross Certification
- 13. Validity of licence
- 14. Suspension of Licence
- 15. Renewal of licence
- 16. Issuance of Licence
- 17. Refusal of Licence
- 18.Governing Laws
- 19.Security Guidelines for Certifying Authorities
- 20. Commencement of Operation by Licensed Certifying Authorities
- 21. Requirements Prior to Cessation as Certifying Authority
- 22. Database of Certifying Authorities
- 23. Digital Signature Certificate
- 24. Generation of Digital Signature Certificate
- 25. Issue of Digital Signature Certificate
- 26. Certificate Lifetime
- 27. Archival of Digital Signature Certificate
- 28. Compromise of Digital Signature Certificate
- 29. Revocation of Digital Signature Certificate
- 30. Fees for issue of Digital Signature Certificate
- 31. Audit
- 32. Auditor’s relationship with Certifying Authority
- 33. Confidential Information
- 34. Access to Confidential Information
- SCHEDULE-I
- SCHEDULE-II
- Information Technology (IT) Security Guidelines
- 1. Introduction
- 2. Implementation of an Information Security Programme
- 3. Information Classification
- 4. Physical and Operational Security
- 5. Information Management
- 6. System integrity and security measures
- 7. Sensitive Systems Protection
- 8. Data Centre Operations Security
- 9. Data Backup and Off-site Retention
- 10. Audit Trails and Verification
- 11. Measures to Handle Computer Virus
- 12. Relocation of Hardware and Software
- 13. Hardware and Software Maintenance
- 14. Purchase and Licensing of Hardware and Software
- 15. System Software
- 16. Documentation Security
- 17. Network Communication Security
- 18. Firewalls
- 19. Connectivity
- 20. Network Administrator
- 21. Change Management
- 22. Problem Management and Reporting
- 23. Emergency Preparedness
- 24. Contingency Recovery Equipment and Services
- 25. Security Incident Reporting and Response
- 26. Disaster Recovery/Management
- SCHEDULE-III
- Security Guidelines for Certifying Authorities
- Security Guidelines for Certifying Authorities
- 1. Introduction
- 2. Security Management
- 3. Physical controls
- 4. Media Storage
- 5. Waste Disposal
- 6. Off-site Backup
- 7. Change and Configuration Management
- 8. Network and Communications Security
- 9. System Security Audit Procedures
- 10. Records Archival
- 11. Compromise and Disaster Recovery
- 12. Number of Persons Required Per Task
- 13. Identification and Authentication for Each Role
- 14. Personnel Security Controls
- 15. Training Requirements
- 16. Retraining Frequency and Requirements
- 17. Documentation Supplied to Personnel
- 18. Key Management
- 19. Private Key Protection and Backup
- 20. Method of Destroying Private Key
- 21. Usage Periods for the Public and Private Keys
- 22. Confidentiality of Subscriber’s Information
- SCHEDULE-IV
- SCHEDULE—VGlossary
- NOTIFICATION
- NOTIFICATION
- 1.Short title and commencement
- 2. Definitions
- 3. Procedure for filing applications
- 4. Presentation and scrutiny of applications
- 5.Place of filing application
- 6.Application fee
- 7.Contents of application
- 8. Paper book, etc. to accompany the application
- 9.Plural remedies
- 10.Service of notice of application on the respondents
- 11. Filing of reply and other documents by the respondent
- 12.Date and place of hearing to be notified
- 13.Sittings of the Tribunal
- 14.Decision on applications
- 15. Action on application for applicant's default
- 16. Hearing on application ex-parte
- 17.Adjournment of application
- 18.Order to be signed and dated
- 19.Publication of orders
- 20.Communication of orders to parties
- 21.No fee for inspection of records
- 22.Orders and directions in certain cases
- 23.Registration of legal practitioners clerks
- 24.Working hoursof the Tribunal
- 25.Sitting hours of the Tribunal
- 26.Powers and functions of the Registrar
- 27. Additional powers and duties of Regstrar
- 28. Seal and emblem
- FORM-1
- FORM – 2
- For use in Tribunal's Oflice
- RECEIPT SLIP
[To be published in the Gazette of India, Extraordinary, Part II, Section 3, Sub-section (i)]
Government of India Ministry of Information Technology
New Delhi, the 17th October, 2000
NOTIFICATION
G.S.R 788 (E) In exercise of the powers conferred by sub-section (3) of section 1 of the Information Technology Act, 2000 (21 of 2000), the Central Government hereby appoints 17th Day of October 2000 as the date on which the provisions of the said Act comes into force.
[ No. 1(20)/97-IID(NII)/F6]
(P.M.Singh) Joint Secretary
[To be published in the Gazette of India, Extraordinary, Part II, Section 3, Sub-section (i)]
Government of India Ministry of Information Technology
New Delhi, the 17th October, 2000
NOTIFICATION
G.S.R 789 (E) In exercise of the powers conferred by section 87 of the Information Technology Act, 2000 (21 of 2000), the Central Government hereby makes the following rules regulating the application and other guidelines for Certifying Authorities, namely:
1. Short title and commencement.- (1) These Rules may be called Information
Technology (Certifying Authorities) Rules, 2000.
(2) They shall come into force on the date of their publication in the Official Gazette.
2. Definitions.- In these Rules, unless the context otherwise requires,– any person requesting a Digital Signature Certificate from a licensed Certifying Authority), creation of private keys or administration of a Certifying Authority's computing facilities.
(m) words and expressions used herein and not defined but defined in Schedule-IV shall have the meaning respectively assigned to them in that schedule.
the process termed as hash function shall be used in both creating and verifying a Digital Signature. Explanation: Computer equipment and software utilizing two such keys are often termed as “asymmetric cryptography”. (a)the signer’s private key was used to digitally sign the electronic record, which is known to be the case if the signer’s public key was used to verify the signature because the signer’s public key will verify only a Digital Signature created with the signer’s private key; and
(b) the electronic record was unaltered, which is known to be the case if the hash result computed by the verifier is identical to the hash result extracted from the Digital Signature during the verification process.
6. Standards.-The Information Technology (IT) architecture for Certifying Authorities may support open standards and accepted de facto standards; the most important standards that may be considered for different activities associated with the Certifying Authority’s functions are as under: 7. Digital Signature Certificate Standard.- All Digital Signature Certificates issued by the Certifying Authorities shall conform to ITU X.509 version 3 standard as per rule 6 and shall inter alia contain the following data, namely: and (f)Public Key information of the subscriber.
8. Licensing of Certifying Authorities.- (1) The following persons may apply for grant of a licence to issue Digital Signature Certificates, namely : Provided that no company in which the equity share capital held in aggregate by the Non-resident Indians, Foreign Institutional Investors, or foreign companies, exceeds forty-nine per cent of its capital, shall be eligible for grant of licence:
Provided further that in a case where the company has been registered under the Companies Act, 1956 (1 of 1956) during the preceding financial year or in the financial year during which it applies for grant of licence under the Act and whose main object is to act as Certifying Authority, the net worth referred to in sub-clause (ii) of this clause shall be the aggregate net worth of its majority shareholders holding at least 51% of paid equity capital, being the Hindu Undivided Family, firm or company:
Provided also that the majority shareholders referred to in the second proviso shall not include Non-resident Indian, foreign national, Foreign Institutional Investor and foreign company:
Provided also that the majority shareholders of a company referred to in the second proviso whose net worth has been determined on the basis of such majority shareholders, shall not sell or transfer its equity shares held in such company (ii) net worth of not less than fifty crores of rupees:
Provided that no firm, in which the capital held in aggregate by any Non-resident Indian, and foreign national, exceeds forty-nine per cent of its capital, shall be eligible for grant of licence:
Provided further that in a case where the firm has been registered under the Indian Partnership Act, 1932 (9 of 1932) during the preceding financial year or in the financial year during which it applies for grant of licence under the Act and whose main object is to act as Certifying Authority, the net worth referred to in sub-clause (ii) of this clause shall be the aggregate net worth of all of its partners:
Provided also that the partners referred to in the second proviso shall not include Non-resident Indian and foreign national:
Provided also that the partners of a firm referred to in the second proviso whose net worth has been determined on the basis of such partners, shall not sell or transfer its capital held in such firm (iii) “foreign company” shall have the meaning assigned to it in clause (23A) of section 2 of the Income-tax Act,1961 (43 of 1961); Provided that the company and firm referred to in the second proviso to clause (b) and the second proviso to clause (c) of sub-rule (1) shall submit a performance bond or furnish a banker’s guarantee for ten crores of rupees:
Provided further that nothing in the first proviso shall apply to the company or firm after it has acquired or has its net worth of fifty crores of rupees. Explanation.- “transfer of operation” shall have the meaning assigned to it in clause (47) of section 2 of the Income-tax Act, 1961 (43 of 1961). supported by such documents and information as the Controller may require and it shall inter alia include (f)an undertaking by the applicant that to its best knowledge and belief
it can and will comply with the requirements of its Certification Practice
Statement; (i)any other information required by the Controller.
11. Fee.-(1) The application for the grant of a licence shall be accompanied by a non-refundable fee of twenty-five thousand rupees payable by a bank draft or by a pay order drawn in the name of the Controller. 12. Cross Certification.-(1) The licensed Certifying Authority shall have arrangement for cross certification with other licensed Certifying Authorities within India which shall be submitted to the Controller before the commencement of their operations as per rule 20:
Provided that any dispute arising as a result of any such arrangement between the Certifying Authorities; or between Certifying Authorities or Certifying Authority and the Subscriber, shall be referred to the Controller for arbitration or resolution.
(2) The arrangement for Cross Certification by the licensed Certifying Authority with a Foreign Certifying Authority along with the application, shall be submitted to the Controller in such form and in such manner as may be provided in the regulations made by the Controller; and the licensed Certifying Authority shall not commence cross certification operations unless it has obtained the written or digital signature approval from the Controller.
13. Validity of licence.- (1) A licence shall be valid for a period of five years from the date of its issue.
(2) The licence shall not be transferable.
14. Suspension of Licence.-(1) The Controller may by order suspend the licence in accordance with the provisions contained in sub-section (2) of section 25 of the Act.
(2) The licence granted to the persons referred to in clauses (a) to (c) of sub-rule (1) of rule 8 shall stand suspended when the performance bond submitted or the banker’s guarantee furnished by such persons is invoked under sub-rule (2) of that rule.
15. Renewal of licence.- (1) The provisions of rule 8 to rule 13, shall apply in the case of an application for renewal of a licence as it applies to a fresh application for licensed Certifying Authority. 16. Issuance of Licence.- (1) The Controller may, within four weeks from the date of receipt of the application, after considering the documents accompanying the application and such other factors, as he may deem fit, grant or renew the licence or reject the application:
Provided that in exceptional circumstances and for reasons to be recorded in writing, the period of four weeks may be extended to such period, not exceeding eight weeks in all as the Controller may deem fit. 17. Refusal of Licence.-The Controller may refuse to grant or renew a licence if (iii) a receiver has, or a receiver and manager have, been appointed by the court in respect of the applicant; or (vii) a Certifying Authority fails to conduct, or does not submit, the returns of the audit in accordance with rule 31; or
(viii) the audit report recommends that the Certifying Authority is not worthy of continuing Certifying Authority’s operation; or
(ix) a Certifying Authority fails to comply with the directions of the Controller. Provided that any change made by the Certifying Authority in the Information Technology and Security Policy shall be submitted by it within two weeks to the Controller.
20. Commencement of Operation by Licensed Certifying Authorities.-The licensed Certifying Authority shall commence its commercial operation of generation and issue of Digital Signature only after 21. Requirements Prior to Cessation as Certifying Authority.-Before ceasing to act as a Certifying Authority, a Certifying Authority shall, Provided that the notice shall be given sixty days before ceasing to act as a Certifying Authority or sixty days before the date of expiry of unrevoked or unexpired Digital Signature Certificate, as the case may be; 22. Database of Certifying Authorities.-The Controller shall maintain a database of the disclosure record of every Certifying Authority, Cross Certifying Authority and Foreign Certifying Authority, containing inter alia the following details: (iii) commencement of commercial operations of generation and issue of Digital Signature Certificate by the Certifying Authority; (vii) revocation or suspension of recognition of foreign Certifying Authority.
23. Digital Signature Certificate.-The Certifying Authority shall, for issuing the Digital Signature Certificates, while complying with the provisions of section 35 of the Act, also comply with the following, namely:
(a) the Digital Signature Certificate shall be issued only after a Digital Signature Certificate application in the form provided by the Certifying Authority has been submitted by the subscriber to the Certifying Authority and the same has been approved by it:
Provided that the application Form contains, inter alia, the particulars given in the modal Form given in Schedule-IV; 24. Generation of Digital Signature Certificate.-The generation of the Digital Signature Certificate shall involve: 25. Issue of Digital Signature Certificate.-Before the issue of the Digital Signature Certificate, the Certifying Authority shall: (iii) comply with all privacy requirements;
(iv)obtain a consent of the person requesting the Digital Signature Certificate, that the details of such Digital Signature Certificate can be published on a directory service.
26. Certificate Lifetime
3. The manner in which information be authenticated by means of Digital Signature.-A Digital Signature shall,
The product The standard Public Key Infrastructure PKIX Digital Signature Certificates and Digital Signature revocation list X.509. version 3 certificates as specified in ITU RFC 1422 Directory (DAP and LDAP) X500 for publication of certificates and Certification Revocation Lists (CRLs) Database Management Operations Use of generic SQL Public Key algorithm DSA and RSA Digital Hash Function MD5 and SHA-1 RSA Public Key Technology PKCS#1 RSA Encryption Standard (512, 1024, 2048 bit) PKCS#5 Password Based Encryption Standard PKCS#7 Cryptographic Message Syntax standard PKCS#8 Private Key Information Syntax standard PKCS#9 Selected Attribute Types PKCS#10 RSA Certification Request PKCS#12 Portable format for storing/transporting a user’s private keys and certificates Distinguished name X.520 Digital Encryption and Digital Signature PKCS#7 Digital Signature Request Format PKCS#10