Cyber Law & Security Control (Chapter – 5) Digital Signature

Chapter V
Digital Signature
The Information Technology many legal provisions assume the existence of paper
based records, documents signatures, etc. But these electronic means eliminate the need for
various paper transactions and demand necessary changes in. the legal system. Therefore, certain
have been taken to facilitate e-commerce, to protect the interest of the people using means of
information technology and also to make necessary changes in the Acts to information
technology, the Information Technology Act of 2000 has been passed the provisions of this Act
relating to digital electronic governance, electronic records and certifying authority which have
been prescribed for the examination.
DIGITAL SIGNATURE
The authority person done signatures on different papers, letters, documents, etc. in
to reveal our identity or to authenticate the documents. If the persons are illiterate have to put their
thumb impressions on the documents in order to make the documents by following certain
formalities. Signatures serve certain basic purposes. In the first place, a signature authenticates the
writing by identifying the signer with the material, letter, documents, etc. When a mark in a
distinctive manner is made signer, such Writing becomes attributable to the signer. Further, a
signature on any document often indicates or imparts a sense of clarity and also of finality to
transaction or substance. It also lessens the subsequent need to inquire beyond the face document.
For example, the amounts of cheques are paid to the concerned payee: verification of signatures of
the drawers with their specimen signatures. Secondly, the of signing the documents also calls to
the attention of the signer towards the importance of his or her act and thus, helps to prevent
inconsiderate A signature is required as one of the formal requirements for completing the
transactions according to the provisions of different Acts. A signature on any document indicates
the signer's approval or authorization of the writing on the document or his intention that it has the
legal effect.
The above mentioned are the basic purposes of obtaining signatures on the and
hence, the signer's authentication is considered very essential in the regime of but in the era of
“modern information technology, the traditional methods of and authenticating transactions are
rapidly becoming obsolete. If the Internet becomes widely accepted medium for commerce in India
and e-commerce increase in volume value, importance of digital signature and public key
infrastructure is sure to increase fact, digital signatures have multitude of applications which
include electronic interchange, electronic funds transfer contracts, authentication and certification,
etc. Obviously, the main objective is to enable the recipient to prove the identity of the signer sender
and also to guarantee the integrity of the data being transferred properly.
The provisions relating to the digital signature have been made in the Information
Technology Act of 2000. Section 2 (p) defines the term ‘Digital Signature ‘while Section 3 of the
IT. Act throws light on the authentication of electronic records. Further, Rules 3, 4 and 5 of the
Information Technology (Certifying Authorities) Rules, 2000 also make clear the manner in which
information is authenticated by means of digital signature, creation of digital signature and
verification of digital signature. Let us consider these aspects as per the provisions of the Act.

New Satara College of BCA Pandharpur 1 Prof. Kirpekar R.R.

Cyber Law & Security Control (Chapter – 5) Digital Signature

Definition of the Digital Signature

"Digital Signature" means authentication of any electronic record by a subscriber
by means of an electronic method or procedure in accordance with the provisions of section 3.

Subscriber means a subscriber is a person in whose name the digital signature certificate is
issued.

Authentication of electronic records, creation and verification of digital

signature, etc.
Section 3 (Chapter II) of the I.T. Act makes clear the conditions subject to which an
electronic record can be authenticated by means of affixing digital signature. While the
Rules 3, 4 and 5 of the Information Technology (Certifying Authorities) Rules of 2000 throw
Light on the manner in which the information is authenticated by means of digital signature,
creation of digital signature and verification of digital signature respectively.
The provisions of section 3 and these rules are given below:
(a) Authentication of Electronic Records [Section 3]:
(1) Subject to the provisions of this section any subscriber may authenticate an
electronic record by affixing his digital signature [Section 3 (1)].
(2) The authentication of the electronic record shall be effected by the use of
asymmetric crypto system and hash function which envelop and transform the initial
electronic record into another electronic record [Section 3 (2)].
For the purposes of this sub-section, "hash function" means an algorithm
mapping or translation of one sequence of bits into another, generally smaller set known as "hash
result" such that an electronic record yields the same hash result every time the algorithm is
executed with the same electronic record as its input making it computationally infeasible -
(a) to derive or reconstruct the original electronic record from the hash result produced by
algorithm;
(b) that two electronic records can produce the same hash result using the algorithm
[Explanation to Section 3 (2)].
(3) Any person by the use of a public key of the subscriber can verify the electronic record
[Section 3 (3)]
(4) The private key and the public key are unique to the subscriber and constitute a functioning
key pair [Section 3 (4)1.

(b) The manner in which information be authenticated by means of digital signature

[Rule 3] :
A Digital Signature shall -
(a) be created and verified by cryptography that concerns itself with transforming
electronic record into seemingly unintelligible forms and back again; '.
(b) use What is known as "Public Key Cryptography", which employs an algorithm
using two different but mathematical related "keys" — one for creating a Digital Signature or
transforming data into a seemingly unintelligible form, and another key for verifying a Digital
Signature or returning the electronic record to original form, the process termed as hash function
shall be used in both creating and verifying a Digital Signature.

New Satara College of BCA Pandharpur 2 Prof. Kirpekar R.R.

Cyber Law & Security Control (Chapter – 5) Digital Signature

Explanation: Computer equipment and software utilizing two such keys are often termed as
"asymmetric cryptography".
(c) Creation of Digital Signature [Rule 4]:
To sign an electronic record or any other item of information, the signer shall first
apply the hash function in the signer's software; the hash function shall compute a hash result of
standard length which is unique (for all practical purposes) to the electronic record; the signer's
software transforming the hash result into a Digital Signature using signer's private key; the
resulting Digital Signature shall be unique to both electronic record and private key used to create
it; and the Digital Signature shall be attached to its electronic record and stored or transmitted
with its electronic record.
(d) Verification of Digital Signature [Rule 5]:
The verification of a Digital Signature shall be accomplished by computing a
new hash result of the original electronic record by means of the hash function used to create a
Digital Signature and by using the public key and the new hash result, the verifier shall check —
(i) if the Digital Signature was created using the corresponding private key; and
(ii) if the newly computed hash result matches the original result which was transformed
into Digital Signature during the signing process. The verification software will confirm the
Digital Signature as verified if —
(a) the signer's private key was used to digitally sign the electronic record, which is
known to be the case if the signer's public key was used to verify the signature because, the
signer's public key will verify only a Digital Signature created with the signer's private key; and
(b) the electronic record was unaltered, which is known to be the case if the hash
result computed by the verifier is identical to the hash result extracted from the Digital Signature
during the verification process.
(e) Meaning of important terms used in the above mentioned provisions:
There are various technical terms used in the Act. The meaning of these terms are
given, in the Schedule V appended to the Information Technology (Certifying Authorities)Rules
of 2000 under the heading "Glossary". The meanings of certain technical terms used in the above
mentioned provisions are given below for your ready reference.
(1) Electronic Record: ‘Electronic Record’ means data, record or data generated image or sound
stored, received or sent in an electronic form or microfilm or computer generated micro-fiche. .,
(2) Electronic Form: Electronic form with reference to information means any information
generated, sent, received or stored in media, magnetic, optical, computer memory, microfilm,
computer generated micro-fiche or similar device.
(3) Asymmetric Crypto System: A system of a secure key pair consisting of a private key for
creating a digital signature and a public key to verify the digital signature.
(4) Hash [Hash Function]: An algorithm that maps or translates one set of bits into another
(generally smaller) set in such a way that —
(i) A message yields the same result every time the algorithm is executed using the
same message as input.
(ii) It is computationally infeasible for a message to be derived or reconstituted from
the result produced by the algorithm.
(iii) It is computationally unfeasible to find two different messages that produce the

New Satara College of BCA Pandharpur 3 Prof. Kirpekar R.R.

Cyber Law & Security Control (Chapter – 5) Digital Signature

same hash result using the same algorithm.

(5) Key: A sequence of symbols that controls the operation of a cryptographic information e.g.
encipherment, decipherment, cryptographic check function computation, signature generation or
signature verification.
(6) Public Key: The key of a key pair used to verify a digital signature and listed in the Digital
Signature Certificate.
(7)Private Key : The key of a key pair used to create a digital signature.
(8) Cryptography:
(I) The mathematical science used to secure the confidentiality and authentication of
data by replacing it with a transformed version that can be reconverted to reveal the original data
only by someone holding the proper cryptographic algorithm and key.
(II) A discipline that embodies the principles, means, and methods for transforming
data in order to hide its information content, prevent its undetected modification, and/or prevent
its unauthorized uses.
(9) Public Key Cryptography : A type of cryptography that uses a key pair of mathematically
related cryptographic keys. The public key can be made available to anyone who wishes to use it
and can encrypt information or verify a digital signature, the private key is kept secret by its
holder and can decrypt information or generate a digital signature.
(10) Public Key Infrastructure [PKI] / PKI Server: A set of policies, processes, server
platforms, software and workstations used for the purpose of administering Digital Signature
Certificates and public-private key pairs, including the ability to generate, issue, maintain and
revoke public key certificates is PKI server.
From the definition of digital signature [Section 2 (p)], provisions of section 3, the
Rules 3 and 4 and the meanings of technical terms used and mentioned above, we come to know
various aspects relating to the digital signature, its creation, verification, etc. In that
context, we can summarise the same in the following way.
(a) A digital signature is the result of computations involving the message to be
signed and the signer's private key.
Digital signatures are created and verified by cryptography which is the branch of applied
mathematics that concerns itself with transforming messages into seemingly unintelligible forms
and back again.
The use of digital signatures usually involves two important processes, one performed by
the signer and the other by the receiver of the digital signature.
(b)First the electronic record is converted into a message digest by using a mathematical
function i.e. hash function which digitally freezes the electronic record which ensures
the integrity of the contents of the intended communication contained in the electronic
record. If any tampering is done with the contents of the electronic records that will
immediately invalidate the digital signature.
(c) The identity of the person affixing the digital structure is authenticated through
the use of a private key which attaches itself to the message digest and which can
be verified by anyone who has the public key corresponding to such private key.
(d) As the electronic record is fixed with the digital signature, it becomes possible to
verify whether the electronic record is retained intact or has been tampered.
Further, it enables a person who has a public key to identify the originator of the
message.

New Satara College of BCA Pandharpur 4 Prof. Kirpekar R.R.

Cyber Law & Security Control (Chapter – 5) Digital Signature

Digital signatures are well suited for wireless Internet-enabled devices. ‘Digital
signatures are definitely complementary to automation bringing various –benefits including faster,
more efficient processing and reduced error rates and administrative costs.

Digital Signature Certificates

Now-a-days, in India, the use of Internet is increasing even in the field of business
commerce. In the information technology age, more and more organizations are joining the
revolution through B2B [business to business] and B2C [Business to consumers] sites in order to
expand the business and to generate more revenues. But for this purpose and so far as the Internet
transactions are concerned, a lot of trust is required. In our regular transactions, it is easy to verify
someone's identity by using his or her signature or identification card if required. But, on Internet or
in Internet transactions, the opportunity for face-to-face verification is just impossible or very rare.
Hence, there felt the need to develop some technique which can develop a feeling of trust between
the merchants and consumers doing business on the Internet. Digital Signature Certificate
Technology is developed for that purpose. A digital signature certificate, in a simple language,
consist of basic information about one's digital identity such as individual‘s or his company’s name,
e-mail address, digital signature, etc.
Digital signature is nothing more than a series of numbers called a public key which
forms the basis of all encryption algorithms. A digital signature authenticates the legal identity of
the concerned party or person. Secure communication demands five key elements to work and they
are, confidentiality authorization, authentication, integrity and non-repudiation. From this point of
view the Cyber law i.e. the I.T. Act, 2000 has been passed and the provisions have been made in the
Act to issue digital signature certificates in Chapter VII under Sections from 35 to 39. A
digital signature certificate is issued by the Certificate or Certifying Authority according to the
provisions of the I.T. Act, 2000 basically for the purpose of the promotion of safe and service e-
commerce transactions over the Internet. The Certifying Authority, as we have already studied, is a
trusted third party entity whose important responsibility is the authenticity of the user. A passport is
the identity of a citizen or a college student can be identified on the basis of his identity card issued
by the principal of the college. Similarly a network user's electronic identity is the proof that the
person or organization as the case may be, is certified by the Certifying Authority. Now, let us
consider the provisions of the I.T. Act included in Chapter VII relating to the Digital Signature
Certificates.

Certifying Authority to Issue Digital Signature Certificate [Section 35]

A certifying authority is empowered under this Act to issue digital signature certificates. Section 35
deals with the form in which digital signature certificate may be issued by the Certifying Authority.
A person can make an application in the prescribed form to the Certifying Authority for the issue of
a digital signature certificate by paying the prescribed fee. The form for an application for issue of
Digital Signature Certificate is given in Schedule IV of the I.T. (Certifying Authorities) Rules, 2000.
Such application is required to be accompanied by a certification practice statement or a statement
containing specified particulars. The provisions of Section 35 are given below
(1) Any person may make an application to the Certifying Authority for the issue of a
Digital Signature Certificate in such form as may be prescribed by the Central Government [Section
35 (1)]

New Satara College of BCA Pandharpur 5 Prof. Kirpekar R.R.

Cyber Law & Security Control (Chapter – 5) Digital Signature

(2) Every such application shall be accompanied by such fee not exceeding twenty five
thousand rupees as may be prescribed by the Central Government, to be paid to the Certifying
Authority [Section 35 (2)]
It is provided that while prescribing fees under sub-section (2) different fees may be
prescribed for different classes of applicants [Proviso to Section 35 (2)].
(3) Every such application shall be accompanied by a certification practice statement
or where there is no such statement, a statement containing such particulars, as may be specified
by regulations [Section 35 (3)]
(4) On receipt of an application under sub-section (1), the Certifying Authority may,
after consideration of the certification practice statement or the other statement under sub-section
(3) and after making such enquiries as it may deem fit, grant the Digital Signature Certificate or
for reasons to be recorded in writing, reject the application [Section 35(4)]
It is provided that no Digital Signature Certificate shall be granted unless the
Certifying Authority is satisfied that —
(a) The applicant holds the private key corresponding to the public key to be listed in the
Digital Signature Certificate;
(b) The applicant holds a private key, which is capable of creating a digital signature;
(c) The public key to be listed in the certificate can be used to verify a digital signature
affixed by the private key held by the applicant [Proviso to Section 35 (4)]
It is provided further that no application shall be rejected unless the applicant has
been given a reasonable opportunity of showing cause against the proposed rejection. [Provision
to Section 35 (4)].
It should be noted that provision to Section 35 (4) lays down certain conditions.
If the Certifying Authority is not satisfied in that respect, the digital signature certificate is, then,
not granted.

[I] Rule 23 of the I.T. (C.A.) Rules, 2000 pertaining to the provisions of Section 35
Rule 23 says that, "The Certifying Authority shall, for issuing the Digital Signature
Certificates, while complying with the provisions of section 35 of the Act, also Comply with
the following, namely —
(a) the Digital Signature Certificate shall be issued only after a Digital Signature
Certificate application in the form provided by the Certifying Authority has been submitted by the
subscriber to the Certifying Authority and the same has been approved by it:
Provided that the application form contains, inter alia, the particulars given in the Modal
Form given in Schedule IV;
(b) No interim digital Signature Certificate shall be issued;
(c) The Digital Signature Certificate shall be generated by the Certifying Authority
upon receipt of an authorized and validated request for —
(i) New Digital Signature Certificates;
(ii) Digital Signature Certificates Renewal;
(d) The Digital Signature Certificate must contain or incorporate, by reference
such information, as is sufficient to locate or identify one or more repositories in
which revocation or suspension of the Digital Signature Certificate will be listed,
if the Digital Signature Certificate is suspended or revoked;

New Satara College of BCA Pandharpur 6 Prof. Kirpekar R.R.

Cyber Law & Security Control (Chapter – 5) Digital Signature

(e) The subscriber identity verification method employed for issuance of Digital
Signature Certificate shall be specified in the Certification Practice Statement
and shall be subject to the approval of the Controller during the application for a
license;
(f) Where the Digital Signature Certificate is issued to a person (referred to in this
clause as a New Digital Signature Certificate) on the basis of another valid Digital
Signature Certificate held by the said person (referred in this clause as an
originating Digital Signature Certificate) and subsequently the originating Digital
Signature Certificate has been suspended or revoked, the Certifying Authority that
issued the new Digital .Signature Certificate shall conduct investigations to
determine whether it is necessary to suspend or revoke the new Digital Signature
Certificate;
(g) The Certifying Authority shall provide a reasonable opportunity for the
subscriber to verify the contents of the Digital Signature Certificate before it is
accepted;
(h) If the subscriber accepts the issued Digital Signature Certificate, the
Certifying Authority shall publish a signed copy of the Digital Signature
Certificate in a repository;
(i) Where the Digital Signature Certificate has been issued by the licensed
Certifying Authority and accepted by the subscriber, and the certifying
Authority comes to know of any fact, or otherwise, that affects the validity or
reliability of such Digital Signature Certificate, it shall notify the same to the
subscriber immediately;
(j) All Digital Signature Certificates shall be issued with a designated expiry
date.

New Satara College of BCA Pandharpur 7 Prof. Kirpekar R.R.

Cyber Law & Security Control (Chapter – 5) Digital Signature

ELECTRONIC RECORDS
In Chapter IV of the I.T. Act of 2000, under the heading "Attribution,
Acknowledgement and Dispatch of Electronic Records, provisions have been made relating to
Attribution of electric records [Section 11], acknowledgement of receipt [Section 12] and time
and place of dispatch and receipt of re-electronic record [Section 13]. These sections are
given below.

Attribution of Electronic Records [Section 11]

Section 11 deals with the attribution of electronic records. This Section 11 states that,
"An electronic record shall be» attributed to the originator -
(a) if it was sent by the originator himself;
(b) by a person who had the authority to act on behalf of the originator in respect of
that electronic record; or
(c) by an information system programmed by or on behalf of the originator to
operate automatically".
Thus, these provisions make clear that if an electronic record was sent by the
originator himself or by an person duty authorized by him or through any information
system programmed by the originator or on his behalf to operate automatically, such
electronic record is attributed to the originator.

Acknowledgement of Receipt [Section 12]

This Section 12 deals with acknowledgement of receipt of an electronic record
by different modes. It is stated in Section 12 that,
(1) Where the originator has not agreed with the addressee that the acknowledgement of
receipt of electronic record be given in a particular form or by a particular method, an
acknowledgement may be given by —
(a) any communication by the addressee, automated or otherwise; or
(b) any conduct of the addressee, sufficient to indicate to the originator that the
electronic record has been received [Section 12 (1)]

(2) Where the originator has stipulated that the electronic record shall be binding only on
receipt of an acknowledgement of such electronic record by him, then, unless acknowledgement
has been so received, the electronic record shall be deemed to have been
never sent by the originator [Section 12 (2)]

(3) Where the originator has not stipulated that the electronic record shall be binding only on
only on receipt of such acknowledgement, and the acknowledgement has not been received
by the originator within the time specified or agreed or, if no time has been specified or agreed to
within a reasonable time, then, the originator may give notice to the addressee stating that no
acknowledgement has been received by him and specifying a reasonable time by which the
acknowledgement must be received by him and if no acknowledgement is received within the
aforesaid time limit he may after giving notice to the addressee, treat the electronic record as
thought has never been sent [Section 12 (3)]

New Satara College of BCA Pandharpur 8 Prof. Kirpekar R.R.

Cyber Law & Security Control (Chapter – 5) Digital Signature

CERTIFYING AUTHORITIES
In order to avoid forgery, deceit, etc. in online authentication, a certifying
authority is required. A certifying authority's real task is to associate the public key to the actual
holders. A person who has been granted necessary license to issue a digital signature certificate
under Section 24 of the I.T. Act of 2000 becomes a Certifying Authority. The Certifying
Authorities are passed down the trust to license holders and subscribers by a supreme authority.
The supreme authority in India is the Controller who is appointed according to the provisions of
Section 17 of the I.T. Act of 2000. The Controller of Certifying Authorities has to perform certain
functions which are stated in Section 18 of the I.T. Act of 2000. The regulation of certifying
authorities is very essential and important in order to maintain the trust. From this point of view,
various provisions have been made in the Chapter VI of the I.T. Act of 2000, under the heading
"Regulation of Certifying Authorities"
This Chapter VI includes eighteen sections making the provisions relating to the
appointment of controller of Certifying authorities and other officers, functions of controller,
license to issue digital signature certificates, application, renewal, suspension etc. of license and
certain other related aspects. Besides these provisions, we also find the rules made in the
Information Technology (Certifying Authorities) Rules of 2000 pertaining to licensing of the
Certifying Authorities, submission of application for a licensed certifying authority, etc. This is, in
fact, the core part of the I.T. Act. Let us now consider the provisions of the I.T. Act of 2000
relating to the regulation of certifying authorities and important rules of the Information
Technology (Certifying Authorities) Rules of 2000. But before that let us study the provisions of
this Act relating ‘to appointment and functions of the controller.
Appointment of the Controller of Certifying Authorities and other Officers [Section 17]
Section 17 of the I.T. Act of 2000 provides for the appointment of the Controller of
Certifying Authorities and other officers to regulate the Certifying Authorities. The
provisions of Section 17 are given below :

(1) The Central Government may, by notification in the Official Gazette, appoint a
Controller of Certifying Authorities for the purposes of this Act and may also by the same or
subsequent notification, appoint such number of Deputy Controllers and Assistant Controllers as it
deems fit [Section 17 (1)]
(2) The Controller shall discharge his functions under this Act subject to the general
control and directions of the Central Government [Section 17 (2)]
(3) The Deputy Controllers and Assistant Controllers shall perform the functions assigned
to them by the Controller under the general superintendence and control of the Controller [Section
17 (3)]
(4) The qualifications, experience and terms and conditions of service of Controller,
Deputy Controllers and Assistant Controllers shall be such as may be prescribed by the Central
Government [Section 17 (4)]
(5) The Head Office and Branch Office of the office, of the Controller shall be at such
places as the Central Government may specify, and these may be established at such places as the
Central Government may think fit [Section 17 (5)]
(6) There shall be a seal of the Office of the Controller [Section 17 (6)]

New Satara College of BCA Pandharpur 9 Prof. Kirpekar R.R.

Cyber Law & Security Control (Chapter – 5) Digital Signature

According to the provisions of Section 17, the Controller of the Certifying Authorities
has been appointed. The Controller of the Certifying Authorities has to discharge all functions
mentioned in Section 18 of this Act subject to the general control and directions of the Central
Government.
In order to assist the Controller of Certifying Authorities, the Central Government is
empowered to appoint such number of Deputy Controllers and Assistant Controllers as the
Central Government deems it [Section 17 (1)]. The Deputy Controllers and Assistant Controllers
perform the functions assigned to them by the Controller of Certifying Authorities under his
general superintendence and control [Section 17 (3)]

Functions of the Controller of Certifying Authorities [Section I8]

Section 18 of the I.T. Act provides for the functions of the Controller of Certifying
Authorities in respect of various activities of the Certifying Authorities. It is stated in Section 18
that, "The Controller may perform all or any of the following functions, namely —
(a) Exercising supervision over the activities of the Certifying Authorities;
(b) Certifying public keys of the Certifying Authorities;
(c) Laying down the standards to be maintained by the Certifying Authorities;
(d) Specifying the qualifications and experience which employees of the Certifying
Authority should possess;
(e) Specifying the conditions subject to which the Certifying Authorities shall conduct
their business;
(f) Specifying the contents of written, printed or visual materials and advertisements that
may be distributed or used in respect of a Digital Signature Certificate and the public
key;
(g) Specifying the form and content of a Digital Signature Certificate and the key;
(h) Specifying the form and manner in which accounts shall be maintained by the
Certifying Authorities;
(i) Specifying the terms and conditions subject to which auditors may be appointed and
the remuneration to be paid to them;
(j) Facilitating the establishment of any electronic system by a Certifying Authority either
solely or jointly with other Certifying Authorities and regulation of such systems;
(k) Specifying the manner in which the Certifying Authorities shall conduct their dealings
with the subscribers;
(l) Resolving any conflict of interests between the Certifying Authorities and the
subscribers;

Certifying Authorities and Their Regulation

The definition of ‘Certifying Authority’ is given in Section 2 (g) of the I. T. Act.
Accordingly, "Certifying Authority" means a person who has been granted a license to issue a
Digital Signature Certificate under Section 24. Thus, a person who has been granted necessary
license to issue a digital signature certificate under Section 24 of this Act becomes a certifying
authority. In order to get a license for working as a certifying authority, an application is required
to be made to the Controller of the Certifying Authorities in the prescribed form. On following the

New Satara College of BCA Pandharpur 10 Prof. Kirpekar R.R.

Cyber Law & Security Control (Chapter – 5) Digital Signature

‘procedure prescribed, the Controller issues or grants the license. The provisions relating to issue
of license, its application, etc. have been made in Chapter VI of this Act. They are given below.
License to Issue Digital Signature Certificates [Section 21]
For getting the license from the Controller, an application in the prescribed form is
required to be made to the Controller along with the prescribed non-refundable fee [which is Rs.
25,000] and other documents as may be prescribed by the Central Government. The controller of
the Certifying Authorities after considering the application and on fulfilment of other conditions
prescribed in this Act and Rules made under the Information Technology (Certifying Authorities)
Rules of 2000 may grant the license. He may also reject the application after giving reasonable
opportunity of being heard [Section 24]. The persons who can make the application for grant of
license to issue digital signatures certificate is given in Rule 8 of the Information Technology
(Certifying Authorities) Rules of 2000. The Rules are also made in respect of location of facilities,
submission of application, fee, suspension of license, etc. All these rules are given below along
with the concerned provisions of the sections included in Chapter VI of the I.T. Act, 2000. The
provisions of Section 21 relating to license to issue digital signature certificates are given below.
(1) Subject to the provisions of sub-section (2), any person may make an application, to
the Controller, for a license to issue Digital Signature Certificates [Section 21 (1)].
(2) No license shall be issued under sub-section (1), unless the applicant fulfills such
requirements with respect to qualification, expertise, manpower, financial resources and
other infrastructure facilities, which are necessary to issue Digital Signature Certificates
as may be prescribed by the Central Government [Section 21 (2)]
(3) A license granted under this section shall —
(a) be valid for such period as may be prescribed by the Central Government;
(b) not be transferable or heritable;
(c) be subject to such terms and conditions as may be specified by the regulations under
[Section 21 (3)].

Digital signatures alone do not fulfill the need for the trust and authentication. There
is yet another aspect required to develop a trusted environment for online business transactions. In
fact, digital signatures rely on “Public Key Infrastructure" in which "Certifying Authorities" act as
the trusted third parties for identification and authentication. The important job of certifying
authorities is to associate the public key to the actual holders.
It should be noted here that Public Key Infra-structure or PKI is the architecture,
organization, techniques, practices and procedures that collectively support the implementation
and operation of a certificate based public key cryptographic system and it includes a set of
policies, processes, server platforms, software and Workstations used for the purpose of
administering digital signature certificates and keys.

Duties and Responsibilities of Certifying Authority

Important duties and responsibilities of Certifying Authority are mentioned in this Chapter
VI and are also included in the Rules of the I.T. (C.A‘.) Rules of 2000. These duties and
responsibilities are given below :

(a) Certifying Authority has to follow certain procedure [Section 30]

New Satara College of BCA Pandharpur 11 Prof. Kirpekar R.R.

Cyber Law & Security Control (Chapter – 5) Digital Signature

The provisions under Section 30 make clear that the Certifying Authority has to
follow certain procedure in respect of digital signatures. Section 30 states that, "Every Certifying
Authority shall -
(a) make use of hardware, software and procedures that are secured from intrusion and
misuse;
(b)provide a reasonable level of reliability in its services which are reasonably suited to
the performance of intended functions;
(c) adhere to security procedures to ensure that the secrecy and privacy of the digital
signatures are assured; and
(d) observe such other standards as may be specified by regulations".
(b) Certifying Authority has to ensure the compliance of this I.T. Act [Section 31]
It is the duty and responsibility of the Certifying Authority to ensure that every person
employed by the Certifying Authority complies with the provisions of the I.T. Act, 2000 or rules,
regulations made thereunder. According to Section 31, "Every Certifying Authority shall ensure
that every person employed or otherwise engaged by it complies, in the course of his employment
or engagement, with the provisions of this Act, rules, regulations and orders made thereunder".

(c) Duty or responsibility of Certifying Authority to display its license [Section 32]
It is laid down in Section 32 that, "every Certifying Authority shall display its license
at a conspicuous place of the premises in which it carries on its business".
(d) Duty or responsibility of Certifying Authority to surrender its license [Section 33]
Section 33 states that, (1) Every Certifying Authority whose license is suspended or
revoked shall immediately after such suspension or revocation, surrender the license to
the Controller [Section 33 (1)].

(2) Where any Certifying Authority fails to surrender a license under sub-section (1),
The person in whose favor a license is issued, shall be guilty of an offence and shall be punished
with imprisonment which may extend up to six months or a fine which may extend up to ten
thousand rupees or with both [Section 33 (2)].

Subscriber
A person in whose name the [Electronic Signature] Certificate is issued Generating Key
Pair.

Duties of subscriber of Electronic Signature Certificate

In respect of Electronic Signature Certificate the subscriber shall perform such duties as
may be prescribed.

Acceptance of Digital Signature Certificate.

(1) A subscriber shall be deemed to have accepted a Digital Signature Certificate if he
publishes or authorizes the publication of a Digital Signature Certificate -
(a) to one or more persons;
(b) in a repository, or otherwise demonstrates his approval of the Digital Signature
Certificate in any manner

New Satara College of BCA Pandharpur 12 Prof. Kirpekar R.R.

Cyber Law & Security Control (Chapter – 5) Digital Signature

(2) By accepting a Digital Signature Certificate the subscriber certifies to all who
reasonably rely on the information contained in the Digital Signature Certificate that –
(a) The subscriber holds the private key corresponding to the public key listed in
the Digital Signature Certificate and is entitled to hold the same;
(b) All representations made by the subscriber to the Certifying Authority and all
material relevant to the information contained in the Digital Signature Certificate are true;
(c) All information in the Digital Signature Certificate that is within
the knowledge of the subscriber is true.

Control of Private Key

Every subscriber shall exercise reasonable care to retain control of the private key
corresponding to the r public key listed in his Digital Signature Certificate and take all steps to
prevent its disclosure.[ "to a person not authorized to affix the digital signature of the subscriber".-
Omitted vide amendment dated 19/09/2002]
If the private key corresponding to the public key listed in the Digital Signature
Certificate has been compromised, then, the subscriber shall communicate the same without any
delay to the Certifying Authority in such manner as may be specified by the regulations.

Explanation - For the removal of doubts, it is hereby declared that the subscriber shall be liable
till he has informed the Certifying Authority that the private key has been compromised.

New Satara College of BCA Pandharpur 13 Prof. Kirpekar R.R.