| 18.
Functions of Controller.
The Controller
may perform all or any of the following functions, namely:-
(a)
exercising supervision over the activities of the Certifying
Authorities.
(b)
certifying public keys of the Certifying Authorities.
(c)
laying down the standards to be maintained by the Certifying
Authorities.
(d)
specifying the qualifications and experience which employees
of the Certifying Authorities should possess.
(e)
specifying the conditions subject to which the Certifying
Authorities shall conduct their business.
(f)
specifying the contents of written, printed or visual
materials and advertisements that may be distributed or
used in respect of a Digital Signature Certificate and the
public key.
(g)
specifying the form and content of a Digital Signature
Certificate and the key.
(h)
specifying the form and manner in which accounts shall be
maintained by the Certifying Authorities.
(i)
specifying the terms and conditions subject to which auditors
may be appointed and the remuneration to be paid to them.
(j)
facilitating the establishment of any electronic system by a
Certifying Authority either solely or jointly with other
Certifying Authorities and regulation of such systems.
(k)
specifying the manner in which the Certifying Authorities
shall conduct their dealings with the subscribers.
(l)
resolving any conflict of interests between the Certifying
Authorities and the subscribers.
(m)
laying down the duties of the Certifying Authorities.
(n)
maintaining a data base containing the disclosure record of
every Certifying Authority containing
such particulars as may be specified by regulations, which
shall be accessible to public.
19. Recognition
of foreign Certifying Authorities.
(1) Subject to
such conditions and restrictions as may be specified by
regulations, the Controller may
with the previous approval of the Central Government, and by
notification in the Official Gazette, recognise
any foreign Certifying Authority as a Certifying Authority for
the purposes of this Act.
(2) Where any
Certifying Authority is recognised under sub-section (1), the
Digital Signature Certificate
issued by such Certifying Authority shall be valid for
the purposes of this Act.
(3) The
Controller may, if he is satisfied that any Certifying
Authority has contravened any of the conditions
and restrictions subject to which it was granted recognition
under sub-section (1) he may, for reasons to be
recorded in writing, by notification in the Official Gazette,
revoke such recognition.
20. Controller
to act as repository.
(1) The
Controller shall be the repository of all Digital Signature
Certificates issued under this Act.
(2) The
Controller shall :-
(a)
make use of hardware, software and procedures that are secure
.iJm intrusion and misuse.
(b)
observe such other standards as may be prescribed by the
Central Government,
to ensure that
the secrecy and security of the digital signatures are
assured.
(3) The
Controller shall maintain a computerised data base of all
public keys in such a manner that such
data base and the public keys are available to any member of
the public.
21. License
to issue Digital Signature Certificates.
(1) Subject to
the provisions of sub-section (2), any person may make an
application, to the Controller, for
a license to issue Digital Signature Certificates.
(2) No license
shall be issued under sub-section (1), unless the applicant
fulfills such requirements with
respect to qualification, expertise, manpower, financial
resources and other infrastructure facilities, which
are necessary to issue Digital Signature Certificates as may
be prescribed by the Central Government
(3) A license
granted under this section shall
(a)
be valid for such period as may be prescribed by the Central
Government.
(b)
not be transferable or heritable.
(c)
be subject to such terms and conditions as may be specified by
the regulations.
22. Application
for license.
(1) Every
application for issue of a license shall be in such form as
may be prescribed by the Central
Government.
(2) Every
application for issue of a license shall be accompanied by
(a)
a certification practice statement.
(b)
a statement including the procedures with respect to
identification of the applicant.
(c)
payment of such fees, not exceeding twenty-five thousand
rupees as may be prescribed by the
Central Government.
(d)
such other documents, as may be prescribed by the Central
Government.
23. Renewal
of license.
An application
for renewal of a license shall be
(a)
in such form.
(b)
accompanied by such fees, not exceeding five thousand rupees,
as may be
prescribed by the Central Government and shall be made not
less than forty-five days before
the date of expiry of the period of validity of the license.
24. Procedure
for grant or rejection of license.
The Controller
may, on receipt of an application under sub-section (1) of
section 21, after considering the
documents accompanying the application and such other factors,
as he deems fit, grant the license or
reject the application:
Provided that
no application shall be rejected under this section unless the
applicant has been given a
reasonable opportunity of presenting his case.
25. Suspension
of license.
(1) The
Controller may, if he is satisfied after making such inquiry,
as he may think fit, that a Certifying
Authority has :-
(a)
made a statement in, or in relation to, the application for
the issue or renewal of the license,
which is incorrect or false in material particulars.
(b)
failed to comply with the terms and conditions subject to
which the license was granted.
(c)
failed to maintain the standards specified under clause (b) of
sub-section (2) of section 20.
(d)
contravened any provisions of this Act, rule, regulation or
order made there under, evoke the license:
Provided that no license shall be revoked unless the
Certifying Authority has been given a reasonable
opportunity of showing cause against the proposed revocation.
(2) The
Controller may, if he has reasonable cause to believe that
there is any ground for revoking a
license under sub-section (1), by order suspend such license
pending the completion of any inquiry
ordered by him:
Provided that
no license shall be suspended for a period exceeding ten days
unless the Certifying Authority
has been given a reasonable opportunity of showing cause
against the proposed suspension.
(3) No
Certifying Authority whose license has been suspended shall
issue any Digital Signature Certificate
during such suspension.
26. Notice
of suspension or revocation of license.
(1) Where the
license of the Certifying Authority is suspended or revoked,
the Controller shall publish notice
of such suspension or revocation, as the case may be, in the
database maintained by him.
(2) Where one
or more repositories are specified, the Controller shall
publish notices of such suspension
or revocation, as the case may be, in all such repositories:
Provided that
the data base containing the notice of such suspension or
revocation, as the case may be,
shall be made available through a web site which shall be
accessible round the clock:
Provided
further that the Controller may, if he considers necessary,
publicise the contents of database in
such electronic or other media, as he may consider
appropriate.
27. Power
to delegate.
The Controller
may, in writing, authorise the Deputy Controller, Assistant
Controller or any officer to
exercise any of the powers of the Controller under this
Chapter.
28. Power
to investigate contraventions.
(1) The
Controller or any officer authorised by him in this behalf
shall take up for investigation any
contravention of the provisions of this Act, rules or
regulations made there under.
(2) The
Controller or any officer authorised by him in this behalf
shall exercise the like powers which are
conferred on Income-tax authorities under Chapter XIII of the
Income-tax Act, 1961 and shall exercise
such powers, subject to such limitations laid down under that
Act.
29. Access
to computers and data.
(1) Without
prejudice to the provisions of sub-section (1) of section 69,
the Controller or any person
authorised by him shall, if he has reasonable cause to suspect
that any contravention of the provisions
of this Act, rules or regulations made thereunder has been
committed, have access to any computer
system, any apparatus, data or any other material connected
with such system, for the purpose of
searching or causing a search to be made for obtaining any
information or data contained in or available
to such computer system.
(2) For the
purposes of sub-section (1), the Controller or any person
authorised by him may, by order,
direct any person incharge of, or otherwise concerned with the
operation of, the computer system, data
apparatus or material, to provide him with such reasonable
technical and other assistance as he may
consider necessary.
30. Certifying
Authority to follow certain procedures.
Every
Certifying Authority shall,
(a) make use of
hardware, software and procedures that are secure from
intrusion and misuse;
(b) provide a
reasonable level of reliability in its services which are
reasonably suited to the performance of
intended functions.
(c) adhere to
security procedures to ensure that the secrecy and privacy of
the digital signatures are assured
and (d) observe such other standards as may
be specified by regulations.
31. Certifying
Authority to ensure compliance of the Act, etc.
Every
Certifying Authority shall ensure that every
person employed or otherwise engaged by it complies, in
the course of his employment or engagement,
with the provisions of this Act, rules, regulations and
orders made thereunder.
32. Display
of license.
Every
Certifying Authority shall display its license at a
conspicuous place of the premises in which it
carries on its business.
33. Surrender
of license.
(1) Every
Certifying Authority whose license is suspended or revoked
shall immediately after such
suspension or revocation, surrender the license to the
Controller.
(2) Where any
Certifying Authority fails to surrender a license under
sub-section (1), the person in whose
favour a license is issued, shall be guilty of an
offence and shall be punished with imprisonment which
may extend up to six months or a fine which may extend up to
ten thousand rupees or with both.
34. Disclosure.
(1) Every
Certifying Authority shall disclose in the manner specified by
regulations :-
(a)
its Digital Signature Certificate which contains the public
key corresponding to the private key used by that Certifying
Authority to digitally sign another Digital Signature
Certificate.
(b)
any certification practice statement relevant thereto.
(c)
notice of the revocation or suspension of its Certifying
Authority certificate, if any and
(d)
any other fact that materially and adversely affects either
the reliability of a Digital Signature Certificate, which
that Authority has issued, or the Authority's ability to
perform its services.
(2) Where in
the opinion of the Certifying Authority any event has occurred
or any situation has arisen which may materially and
adversely affect the integrity of its computer system or the
conditions subject to which a Digital Signature
Certificate was granted, then, the Certifying Authority shall
:-
(a)
use reasonable efforts to notify any person who is likely to
be affected by that occurrence or
(b)
act in accordance with the proce
|