Information Technology Act – 2000
REGULATION OF CERTIFYING AUTHORITIES
17. Appointment of Controller and other officers.
(1) The Central Government may, by notification in the Official Gazette, appoint a Controller of Certifyin
g Authorities for the purposes of this Act and may also by the same or subsequent notification appoint such number of Deputy Controllers and Assistant Controllers as it deems fit.
(2) The Controller shall discharge his functions under this Act subject to the general control and directions of the Central Government.
(3) The Deputy Controllers and Assistant Controllers shall perform the functions assigned to them by the Controller under the general superintendence and control of the Controller.
(4) The qualifications, experience and terms and conditions of service of Controller, Deputy Controllers and Assistant Controllers shall be such as may be prescribed by the Central Government.
(5) The Head Office and Branch Office of the office of the Controller shall be at such places as the Central Government may specify, and these may be established at such places as the Central Government may think fit.
(6) There shall be a seal of the Office of the Controller.
18. Functions of Controller.
The Controller may perform all or any of the following functions, namely:
(a) exercising supervision over the activities of the Certifying Authorities.
(b) certifying public keys of the Certifying Authorities.
(c) laying down the standards to be maintained by the Certifying Authorities.
(d) specifying the qualifications and experience which employees of the Certifying Authorities should possess.
(e) specifying the conditions subject to which the Certifying Authorities shall conduct their business.
(f) specifying the contents of written, printed or visual materials and advertisements that may be distributed or used in respect of a Digital Signature Certificate and the public key.
(g) specifying the form and content of a Digital Signature Certificate and the key.
(h) specifying the form and manner in which accounts shall be maintained by the Certifying Authorities.
(i) specifying the terms and conditions subject to which auditors may be appointed and the remuneration to be paid to them.
(j) facilitating the establishment of any electronic system by a Certifying Authority either solely or jointly with other Certifying Authorities and regulation of such systems.
(k) specifying the manner in which the Certifying Authorities shall conduct their dealings with the subscribers.
(l) resolving any conflict of interests between the Certifying Authorities and the subscribers.
(m) laying down the duties of the Certifying Authorities.
(n) maintaining a data base containing the disclosure record of every Certifying Authority containing
such particulars as may be specified by regulations, which shall be accessible to public.
19. Recognition of foreign Certifying Authorities.
(1) Subject to such conditions and restrictions as may be specified by regulations, the Controller may
with the previous approval of the Central Government, and by notification in the Official Gazette, recognise
any foreign Certifying Authority as a Certifying Authority for the purposes of this Act.
(2) Where any Certifying Authority is recognised under sub-section (1), the Digital Signature Certificate
issued by such Certifying Authority shall be valid for the purposes of this Act.
(3) The Controller may, if he is satisfied that any Certifying Authority has contravened any of the conditions
and restrictions subject to which it was granted recognition under sub-section (1) he may, for reasons to be
recorded in writing, by notification in the Official Gazette, revoke such recognition.
20. Controller to act as repository.
(1) The Controller shall be the repository of all Digital Signature Certificates issued under this Act.
(2) The Controller shall :
(a) make use of hardware, software and procedures that are secure .iJm intrusion and misuse.
(b) observe such other standards as may be prescribed by the Central Government,
to ensure that the secrecy and security of the digital signatures are assured.
(3) The Controller shall maintain a computerised data base of all public keys in such a manner that such
data base and the public keys are available to any member of the public.
21. License to issue Digital Signature Certificates.
(1) Subject to the provisions of sub-section (2), any person may make an application, to the Controller, for
a license to issue Digital Signature Certificates.
(2) No license shall be issued under sub-section (1), unless the applicant fulfills such requirements with
respect to qualification, expertise, manpower, financial resources and other infrastructure facilities, which
are necessary to issue Digital Signature Certificates as may be prescribed by the Central Government
(3) A license granted under this section shall
(a) be valid for such period as may be prescribed by the Central Government.
(b) not be transferable or heritable.
(c) be subject to such terms and conditions as may be specified by the regulations.
22. Application for license.
(1) Every application for issue of a license shall be in such form as may be prescribed by the Central
(2) Every application for issue of a license shall be accompanied by
(a) a certification practice statement.
(b) a statement including the procedures with respect to identification of the applicant.
(c) payment of such fees, not exceeding twenty-five thousand rupees as may be prescribed by the
(d) such other documents, as may be prescribed by the Central Government.
23. Renewal of license.
An application for renewal of a license shall be
(a) in such form.
(b) accompanied by such fees, not exceeding five thousand rupees,
as may be prescribed by the Central Government and shall be made not less than forty-five days before
the date of expiry of the period of validity of the license.
24. Procedure for grant or rejection of license.
The Controller may, on receipt of an application under sub-section (1) of section 21, after considering the
documents accompanying the application and such other factors, as he deems fit, grant the license or
reject the application:
Provided that no application shall be rejected under this section unless the applicant has been given a
reasonable opportunity of presenting his case.
25. Suspension of license.
(1) The Controller may, if he is satisfied after making such inquiry, as he may think fit, that a Certifying
Authority has :
(a) made a statement in, or in relation to, the application for the issue or renewal of the license,
which is incorrect or false in material particulars.
(b) failed to comply with the terms and conditions subject to which the license was granted.
(c) failed to maintain the standards specified under clause (b) of sub-section (2) of section 20.
(d) contravened any provisions of this Act, rule, regulation or order made there under, evoke the license:
Provided that no license shall be revoked unless the Certifying Authority has been given a reasonable
opportunity of showing cause against the proposed revocation.
(2) The Controller may, if he has reasonable cause to believe that there is any ground for revoking a
license under sub-section (1), by order suspend such license pending the completion of any inquiry
ordered by him:
Provided that no license shall be suspended for a period exceeding ten days unless the Certifying Authority
has been given a reasonable opportunity of showing cause against the proposed suspension.
(3) No Certifying Authority whose license has been suspended shall issue any Digital Signature Certificate
during such suspension.
26. Notice of suspension or revocation of license.
(1) Where the license of the Certifying Authority is suspended or revoked, the Controller shall publish notice
of such suspension or revocation, as the case may be, in the database maintained by him.
(2) Where one or more repositories are specified, the Controller shall publish notices of such suspension
or revocation, as the case may be, in all such repositories:
Provided that the data base containing the notice of such suspension or revocation, as the case may be,
shall be made available through a web site which shall be accessible round the clock:
Provided further that the Controller may, if he considers necessary, publicise the contents of database in
such electronic or other media, as he may consider appropriate.
27. Power to delegate.
The Controller may, in writing, authorise the Deputy Controller, Assistant Controller or any officer to
exercise any of the powers of the Controller under this Chapter.
28. Power to investigate contraventions.
(1) The Controller or any officer authorised by him in this behalf shall take up for investigation any
contravention of the provisions of this Act, rules or regulations made there under.
(2) The Controller or any officer authorised by him in this behalf shall exercise the like powers which are
conferred on Income-tax authorities under Chapter XIII of the Income-tax Act, 1961 and shall exercise
such powers, subject to such limitations laid down under that Act.
29. Access to computers and data.
(1) Without prejudice to the provisions of sub-section (1) of section 69, the Controller or any person
authorised by him shall, if he has reasonable cause to suspect that any contravention of the provisions
of this Act, rules or regulations made thereunder has been committed, have access to any computer
system, any apparatus, data or any other material connected with such system, for the purpose of
searching or causing a search to be made for obtaining any information or data contained in or available
to such computer system.
(2) For the purposes of sub-section (1), the Controller or any person authorised by him may, by order,
direct any person incharge of, or otherwise concerned with the operation of, the computer system, data
apparatus or material, to provide him with such reasonable technical and other assistance as he may
30. Certifying Authority to follow certain procedures.
Every Certifying Authority shall,
(a) make use of hardware, software and procedures that are secure from intrusion and misuse;
(b) provide a reasonable level of reliability in its services which are reasonably suited to the performance of
(c) adhere to security procedures to ensure that the secrecy and privacy of the digital signatures are assured
and (d) observe such other standards as may be specified by regulations.
31. Certifying Authority to ensure compliance of the Act, etc.
Every Certifying Authority shall ensure that every person employed or otherwise engaged by it complies, in the course of his employment or engagement, with the provisions of this Act, rules, regulations and orders made thereunder.
32. Display of license.
Every Certifying Authority shall display its license at a conspicuous place of the premises in which it
carries on its business.
33. Surrender of license.
(1) Every Certifying Authority whose license is suspended or revoked shall immediately after such
suspension or revocation, surrender the license to the Controller.
(2) Where any Certifying Authority fails to surrender a license under sub-section (1), the person in whose
favour a license is issued, shall be guilty of an offence and shall be punished with imprisonment which
may extend up to six months or a fine which may extend up to ten thousand rupees or with both.
(1) Every Certifying Authority shall disclose in the manner specified by regulations :
(a) its Digital Signature Certificate which contains the public key corresponding to the private key used by that Certifying Authority to digitally sign another Digital Signature Certificate.
(b) any certification practice statement relevant thereto.
(c) notice of the revocation or suspension of its Certifying Authority certificate, if any and
(d) any other fact that materially and adversely affects either the reliability of a Digital Signature Certificate, which that Authority has issued, or the Authority’s ability to perform its services.
(2) Where in the opinion of the Certifying Authority any event has occurred or any situation has arisen which may materially and adversely affect the integrity of its computer system or the conditions subject to which a Digital Signature Certificate was granted, then, the Certifying Authority shall :-
(a) use reasonable efforts to notify any person who is likely to be affected by that occurrence or
(b) act in accordance with the proce