The Information Technology Act, 2000, establishes a detailed framework for the regulation of Certifying Authorities (CAs), recognizing that digital signatures and electronic authentication can function reliably only when backed by a secure and trusted infrastructure. Certifying Authorities are entities licensed by the government to issue Digital Signature Certificates (DSCs), which authenticate the identity of individuals and organisations engaging in electronic transactions. To ensure that these certificates are credible and tamper-proof, the Act creates the office of the Controller of Certifying Authorities (CCA), who is entrusted with supervising, licensing, and monitoring all Certifying Authorities operating in India.
The CCA performs several key functions, including granting licenses to CAs after verifying their financial soundness, technical competence, and adherence to security standards. These licenses are issued for a prescribed period and can be suspended or revoked if the CA fails to comply with the provisions of the Act, the rules, or the security practices prescribed. The CCA also oversees the creation and operation of the National Repository of Digital Signatures (NRDC), which stores the public keys and certificate information issued by all CAs, ensuring transparency and public trust in the system.
Once licensed, a Certifying Authority is required to follow strict guidelines relating to the generation, issuance, renewal, suspension, and revocation of digital signature certificates. They must maintain secure hardware and software environments, protect their private keys, and adhere to a documented Certification Practice Statement (CPS) approved by the CCA. Regular audits, security reviews, and compliance checks are conducted to ensure that the CA maintains the high level of trust and integrity required in a public key infrastructure.
The Act also imposes specific obligations on CAs to verify the identity of applicants before issuing DSCs, maintain a database of certificates and revocation lists, and report security breaches or compromises immediately to the CCA. Any failure to maintain required standards can lead to suspension of operations, penalties, or cancellation of the CA’s license. These regulatory measures ensure that digital signatures in India operate within a dependable, accountable, and secure framework, thereby strengthening the legal foundation of electronic commerce, e-filing, and e-governance.
