CERTIFYING AUTHORITIES IN CYBER LAWS BY: GAURAV MANDAR

CERTIFYING AUTHORITIES IN CYBER LAWS

AUTHORED BY: GAURAV MANDAR

Abstract:

This article provides a comprehensive overview of Certifying Authorities (CAs) and their role in ensuring the security and authenticity of online communication. The article begins by introducing the concept of CAs and explaining their key functions, including the issuance and revocation of digital certificates. The article then delves into the technical details of certificate management, discussing the standards and protocols used in the process.

The article also highlights the risks and challenges associated with CAs, such as certificate mis- issuance and compromise, and explores the various measures that can be taken to mitigate these risks. Additionally, the article discusses the impact of emerging technologies and the role of CAs in online security.

Overall, this article provides a comprehensive and up-to-date overview of the critical role played by Certifying Authorities in online security. The article is a valuable resource for anyone seeking to understand the technical and practical aspects of certificate management and the broader implications of CAs for online security.

Keywords: Certifying Authorities, digital certificates, online security, encryption, certificate management, certificate revocation, certificate mis-issuance, certificate compromise.

Introduction:

The IT Act accommodates the Controller of Certifying Authorities(CCA) to permit and direct the working of Certifying Authorities. The Certifying Authorities (CAs) issue computerized signature testaments for electronic confirmation of clients. The Controller of Certifying Authorities (CCA) has been named by the Central Government under Section 17 of the Act for reasons for the IT Act. The Office of the CCA appeared on November 1, 2000.[1] (“Role of Certifying Authorities under IT Act 2000 - LawBhoomi”) It targets advancing the development of E-Commerce and E-Governance through the wide utilization of computerized marks.

The Controller of Certifying Authorities (CCA) has set up the Root Certifying Authority (RCAI) of India under segment 18(b) of the IT Act to carefully sign the open keys of Certifying Authorities (CA) in the nation. The RCAI is worked according to the gauges set down under the Act. The CCA guarantees the open keys of CAs utilizing its own private key, which empowers clients in the internet to confirm that a given testament is given by an authorized CA. For this reason it works, the Root Certifying Authority of India (RCAI). The CCA likewise keeps up the Repository of Digital Certificates, which contains all the authentications gave to the CAs in the nation[2] (“Role of Certifying Authorities under IT Act 2000 - LawBhoomi”)

Certifying authorities (CAs) play a crucial role in ensuring secure online communication. A certifying authority is a trusted third-party organization that verifies the identity of parties involved in online transactions and issues digital certificates that can be used to establish secure connections. In this article, we'll explore what certifying authorities are, how they work, and the different types of certifying authorities.

In today's world, where most of our lives have shifted online, it has become essential to ensure the security and authenticity of our online interactions. One of the ways this is achieved is through the use of digital certificates issued by Certifying Authorities (CAs).

Certifying Authorities are entities that issue digital certificates to individuals, organizations, and devices, confirming their identity and providing a secure way to transmit information over the internet. These certificates contain information such as the name of the certificate holder, the name of the CA issuing the certificate, the digital signature of the CA, and a unique serial number.

CAs play a vital role in the security of online communications as they act as trusted third parties that verify the identity of certificate holders. They use a public key infrastructure (PKI) to issue certificates and manage the digital signatures used to verify the authenticity of those certificates. This allows for secure communication and e-commerce transactions.

To become a Certifying Authority, an entity must go through a rigorous process of accreditation and certification by an industry-recognized authority. This ensures that CAs meet strict security and operational standards and are capable of providing a secure and reliable service to their customers.

What are Certifying Authorities?

Certifying authorities (CAs) are trusted organizations that issue digital certificates to individuals, organizations, and other entities. A digital certificate is an electronic document that contains information about the identity of the certificate holder, such as their name, address, and public key.[3] (“What is a Digital Certificate? - The Security Buddy”) Digital certificates are used to establish secure connections between parties in online transactions. They are also used to verify the authenticity of digital documents and email messages.

Certifying authorities play a critical role in the security of online communication. They provide a trusted third-party service that verifies the identity of parties involved in online transactions. Without the services of a certifying authority, it would be difficult to establish trust in online communication. A certifying authority helps ensure that online transactions are secure, reliable, and authentic.

How do Certifying Authorities Work?

Certifying authorities work by issuing digital certificates to individuals, organizations, and other entities. The process of issuing a digital certificate involves verifying the identity of the certificate holder. This process typically involves a series of steps, including identity verification, certificate issuance, and certificate revocation.

To obtain a digital certificate, the certificate holder must first provide the certifying authority with proof of their identity. This may involve providing a government-issued ID, such as a passport or driver's license. The certifying authority will then verify the identity of the certificate holder, typically using a variety of methods, including in-person verification, document review, and database checks.

Once the certifying authority has verified the identity of the certificate holder, they will issue a digital certificate. The digital certificate will contain information about the identity of the certificate holder, such as their name, address, and public key. The public key is used to establish secure connections between parties in online transactions.

The certifying authority will also maintain a list of revoked certificates. A certificate may be revoked if it is discovered that the certificate holder's identity was not properly verified, or if the certificate holder has engaged in fraudulent or illegal activity. When a certificate is revoked, it is added to a list of revoked certificates maintained by the certifying authority. This helps ensure that revoked certificates are not used to establish secure connections in online transactions.

Types of Certifying Authorities:

Certifying authorities (CAs) are organizations that issue digital certificates that are used to establish the identity of individuals, websites, and other entities online. The following are the types of certifying authorities:

1. Public CAs: These are commercial entities that are trusted by default by most web browsers and operating systems. Examples of public CAs include DigiCert, GlobalSign, and Comodo.
2. Private CAs: These are CAs that are set up by organizations for internal use. Private CAs are used to issue digital certificates for internal network devices, such as servers and routers.
3. Domain Validated (DV) CAs: These are CAs that issue certificates after verifying that the domain is registered and the applicant has control over it.
4. Organization Validated (OV) CAs: These are CAs that issue certificates after verifying the legal identity and physical existence of the organization.
5. Extended Validation (EV) CAs: These are CAs that issue certificates after conducting a thorough validation process that verifies the legal identity and physical existence of the organization. EV certificates are typically used by e-commerce sites and other websites that handle sensitive information.
6. Government CAs: These are CAs that are operated by government agencies and are used to issue digital certificates for government services, such as tax filings and online voting.
7. Cross-Certifying Authorities: These are CAs that establish trust relationships between different CAs. Cross-certification is used to extend the trust of one CA to another, allowing digital certificates issued by one CA to be accepted by another.

The role of Certifying Authorities (CAs) is critical in ensuring secure online communication. The primary roles of CAs include:

1. Issuing Digital Certificates: The primary role of CAs is to issue digital certificates that are used to authenticate the identity of websites, individuals, and devices. The digital certificate contains information about the entity, such as their name and public key, and is signed by the CA to establish its authenticity.
2. Verifying Identities: CAs are responsible for verifying the identities of entities requesting digital certificates. This involves validating the identity of the entity, ensuring they have the right to use the domain or device, and confirming that the information provided is accurate.
3. Establishing Trust: CAs establish trust between entities by issuing digital certificates. A digital certificate signed by a trusted CA indicates that the identity of the entity has been verified, and the communication is secure.
4. Revoking Certificates: CAs are also responsible for revoking digital certificates in case of a security breach or other issues. When a certificate is revoked, the CA adds it to a Certificate Revocation List (CRL) to ensure that the certificate is no longer trusted.
5. Maintaining Security: CAs play a crucial role in maintaining security by enforcing strict security measures for their infrastructure, personnel, and processes. This includes securing their servers, conducting regular audits, and implementing industry-standard security protocols.

Detailed explanation Types of Certifying Authorities:

There are several types of certifying authorities, including:

Public CAs: Public CAs are commercial entities that issue digital certificates to entities such as websites and individuals. These CAs are widely recognized and trusted by most web browsers and operating systems, and they are responsible for issuing the majority of digital certificates.

Private CAs: Private CAs are established by organizations for internal use. These CAs issue digital certificates to internal network devices, such as servers and routers, to ensure secure communication within the organization.

Domain Validated (DV) CAs: DV CAs issue digital certificates after verifying that the domain is registered and the applicant has control over it. This type of certificate is commonly used by small businesses and personal websites.

Organization Validated (OV) CAs: OV CAs issue digital certificates after verifying the legal identity and physical existence of the organization. This type of certificate is commonly used by larger businesses and e-commerce websites.

Extended Validation (EV) CAs: EV CAs issue digital certificates after conducting a thorough validation process that verifies the legal identity and physical existence of the organization. This type of certificate is commonly used by financial institutions and other organizations that handle sensitive information.

Challenges Facing Certifying Authorities

While CAs play a critical role in ensuring secure online communication, the industry faces several challenges, including:

1. Trust: CAs must maintain trust with their customers by ensuring that their certificates are accurate and up-to-date. Any breach of trust can have severe consequences, such as a loss of business or legal action
2. Security: CAs must ensure that their infrastructure, personnel, and processes are secure to prevent unauthorized access and data breaches. A security breach can lead to a loss of trust and damage to the CA's reputation.
3. Standardization: The industry lacks standardization, making it difficult for entities to choose a CA and for CAs to compete on a level playing field. The lack of standardization also makes it challenging for web browsers and operating systems to verify digital certificates from different CAs.
4. Certificate Revocation: Revoking digital certificates is a critical task that must be handled efficiently and effectively to maintain security. However, revocation can be slow, and some entities may continue to use a revoked certificate, posing a security risk.

Becoming a Certifying Authority

To become a Certifying Authority, an entity must go through a rigorous process of accreditation and certification by an industry-recognized authority. The process includes several steps that verify the entity's identity, capabilities, and security measures.

Firstly, the entity must apply for accreditation with a recognized industry body, such as the WebTrust program, which is managed by the American Institute of Certified Public Accountants (AICPA) and the Canadian Institute of Chartered Accountants (CICA). The accreditation process involves an independent audit of the entity's operations, security, and policies. The audit is conducted by an accredited third-party auditor and includes a review of the entity's security policies and procedures, its technical infrastructure, and its business practices.

Once accredited, the entity must then apply for certification with a recognized certification authority, such as the Internet Engineering Task Force (IETF) or the International Organization for Standardization (ISO). The certification process involves a review of the entity's security practices, technical infrastructure, and policies. The certification authority will also verify the entity's identity, ensuring that it is a legally recognized entity that has the authority to issue digital certificates.

Role of Certifying Authorities:

Certificate Authority (CA) is a confided in substance that issues Digital Certificates and open private key sets. The job of the Certificate Authority (CA) is to ensure that the individual allowed the extraordinary authentication is, truth be told, who the individual in question professes to be.

The Certificate Authority (CA) checks that the proprietor of the declaration is who he says he is. A Certificate Authority (CA) can be a confided in outsider which is answerable for genuinely confirming the authenticity of the personality of an individual or association before giving an advanced authentication. A Certificate Authority (CA) can be an outer (open) Certificate Authority (CA) like verisign, thawte or comodo, or an inward (private) Certificate Authority (CA) arranged inside our system. Certificate Authority (CA) is a basic security administration in a system. A Certificate Authority (CA) plays out the accompanying capacities. A Controller plays out a few or the entirety of the following roles:

1. "Administer the exercises of the Certifying Authorities and furthermore confirm their open keys."[4] (“Role of Certifying Authorities under IT Act 2000 - LawBhoomi”)
2. Set out the guidelines that the Certifying Authorities follow.
3. Determine the accompanying capabilities and furthermore experience necessities of the workers of all Certifying Authorities conditions that the Certifying Authorities must follow for directing business the substance of the printed, composed, and furthermore visual materials and ads in regard of the advanced mark and the open key the structure and substance of an advanced mark declaration and the key the structure and way where the Certifying Authorities look after records terms and conditions for the arrangement of examiners and their compensation.
4. "Encourage the Certifying Authority to set up an electronic framework, either exclusively or together with other Certifying Authorities and its guideline."[5] (“Role of Certifying Authorities under IT Act 2000 - LawBhoomi”)
5. "Indicate the way where the Certifying Authorities manage the endorsers." [6](“Role of Certifying Authorities under IT Act 2000 - LawBhoomi”)
6. "Resolve any irreconcilable situation between the Certifying Authorities and the endorsers." [7](“Role of Certifying Authorities under IT Act 2000 - LawBhoomi”)
7. Set out the obligations of the Certifying Authorities.
8. Keep up a database containing the revelation record of each Certifying Authority with all the subtleties according to guidelines. Further, this database is open to the general population.

Certificate Authority (CA) Verifies the personality: The Certificate Authority (CA) must approve the character of the element who mentioned a computerized authentication before giving it. Certificate Authority (CA) issues computerized testaments: Once the approval procedure is finished, the Certificate Authority (CA) gives the advanced authentication to the element who requested it. Computerized declarations can be utilized for encryption (Example: Encrypting web traffic), code marking, authentication and so on. Certificate Authority (CA) keeps up Certificate Revocation List (CRL): The Certificate Authority (CA) keeps up Certificate Revocation List (CRL).

"An authentication repudiation list (CRL) is a rundown of computerized testaments which are not, at this point legitimate and have been disavowed and subsequently ought not be depended by anybody."[8] (“Role of Certifying Authorities under IT Act 2000 - LawBhoomi”) A Certificate Authority (CA) is a selective element which issues and signs SSL endorsements, confirming and guaranteeing the reliability of their proprietors. All CAs are individuals from the CA/B Forum (Certificate Authority and Browser Forum), being subjects to industry guidelines, principles, and prerequisites, and are every year examined to guarantee their consistence. The CA is a basic component when talking about SSL Certificates. The CA recognizes and verifies the character of the SSL Certificate’s proprietor when giving and marking the SSL Certificate. In view of the SSL Certificate’s sort, the CA completely checks the candidate’s area name, business and individual data, and different qualifications before giving the testament.

Information Technology, Act 200

The Information Technology Act, 2000 was enacted by the Indian Parliament in 2000. "It is the primary law in India for matters related to cybercrime and e-commerce."[9] (“Information Technology Act, 2000 - BYJU'S”) The act was enacted to give legal sanction to electronic commerce and electronic transactions, to enable e-governance, and also to prevent cybercrime.

Background of IT Act,2000:

"The United Nations Commission on International Trade Law in 1996 adopted a model law on e-commerce and digital intricacies."[10] (“Information Technology Act, 2000 - iPleaders”) It also made it compulsory for every country to have its own laws on e-commerce and cybercrimes. In order to protect the data of citizens and the government, the Act was passed in 2000, making India the 12th country in the world to pass legislation for cyber-crimes. "It is also called the IT Act and provides the legal framework to protect data related to e-commerce and digital signatures." [11](“Information Technology Act, 2000 - iPleaders”) It was further amended in 2008 and 2018 to meet the needs of society. "The Act also defines the powers of intermediaries and their limitations."[12] (“Information Technology Act, 2000 - iPleaders”)

Certifying authorities:

"As per Section 18 of The Information Technology Act, 2000 provides the required legal sanctity to the digital signatures based on asymmetric cryptosystems." [13](“About CCA | CCA”) The digital signatures are now accepted at par with handwritten signatures and the electronic documents that have been digitally signed are treated at par with paper documents.

The IT Act provides for the Controller of Certifying Authorities (CCA) to license and regulate the working of Certifying Authorities. The Certifying Authorities (CAs) issue digital signature certificates for electronic authentication of users.[14] (“Certifying Authorities - Indian Cyber Security”)

Appointment of Controller:

Section 17 talks about the appointment of the controller, deputy controllers, assistant controllers, and other employees of certifying authorities. The deputy controllers and assistant controllers are under the control of the controller and perform the functions as specified by him. The term, qualifications, experience and conditions of service of the Controller of certifying authorities will be determined by the Central Government. It will also decide the place of the head office of the Controller.

Functions of the Controller:

According to Section 18, the following are the functions of the Controller of certifying authority:

1. He supervises all the activities of certifying authorities.
2. Public keys are certified by him.
3. He lays down the rules and standards to be followed by certifying authorities.
4. He specifies the qualifications and experience required to become an employee of a certifying authority.
5. He specifies the procedure to be followed in maintaining the accounts of authority.
6. He determines the terms and conditions of the appointment of auditors.
7. He supervises the conduct of businesses and dealings of the authorities.
8. He facilitates the establishment of an electronic system jointly or solely.
9. He maintains all the particulars of the certifying authorities and specifies the duties of the officers.
10. He has to resolve any kind of conflict between the authorities and subscribers.
11. All information and official documents issued by the authorities must bear the seal of the office of the Controller.

License for electronic signatures:

It is necessary to obtain a license certificate in order to issue an electronic signature. "Section 21 of the Act provides that any such license can be obtained by making an application to the controller who, after considering all the documents, decides either to accept or reject the application."[15] (“Information Technology Act, 2000 - iPleaders”) The license issued is valid for the term as prescribed by the central government and is transferable and heritable. It is regulated by terms and conditions provided by the government.

According to Section 22 of the Act, an application must fulfill the following requirements:

1. A certificate of practice statement.
2. Identity proof of the applicant.
3. Fees of Rupees 25,000 must be paid.
4. Any other document as specified by the central government.

The license can be renewed by making an application before 45 days from the expiry of the license along with payment of fees, i.e., Rupees 25000. (Section 23)

"Any license can be suspended on the grounds specified in Section 24 of the Act."[16] (“Information Technology Act, 2000 - iPleaders”) However, no certifying authority can suspend the license without giving the applicant a reasonable opportunity to be heard. The grounds of suspension are:

1. The applicant makes a false application for renewal with false and fabricated information.
2. Failure to comply with the terms and conditions of the license.
3. A person fails to comply with the provisions of the Act.
4. He did not follow the procedure given in Section 30 of the Act.

The notice of suspension of any such license must be published by the Controller in his maintained records and data.

Powers of certifying authorities:

Following are the powers and functions of certifying authorities:

1. Every such authority must use hardware that is free from any kind of intrusion. (Section 30)
2. It must adhere to security procedures to ensure the privacy of electronic signatures.
3. "It must publish information related to its practice, electronic certificates and the status of these certificates."[17] (“Information Technology Act, 2000 - iPleaders”)
4. It must be reliable in its work.
5. The authority has the power to issue electronic certificates. (Section 35)
6. The authority has to issue a digital signature certificate and certify that:
   • The subscriber owns a private key along with a public key as given in the certificate.
   • The key can make a digital signature and can be verified.
   • All the information given by subscribers is accurate and reliable.
7. The authorities can suspend the certificate of digital signature for not more than 15 days. (Section 37)
8. According to Section 38, a certificate can be revoked by the authorities on the following grounds:
   • If the subscriber himself makes such an application.
   • If he dies.
   • In case, the subscriber is a company then on the winding up of the company, the certificate is             revoked.

Conclusion:

This article will explore the role of CAs in securing online communications and transactions. It will examine the processes involved in becoming a CA, the types of certificates issued, and the different levels of trust and verification associated with each type of certificate.

In conclusion, Certifying Authorities play a crucial role in securing online communication and transactions. They provide digital certificates that verify the identity of the certificate holder and ensure the integrity of online transactions. To ensure the security and reliability of these certificates, it is important to use trusted CAs and to verify the digital signature of certificates before trusting them.

X-X-X-X-X-X-X

[1] Role of Certifying Authorities under IT Act 2000 - LawBhoomi, https://lawbhoomi.com/role-of-certifying- authorities-under-it-act-2000/.

[2] Role of Certifying Authorities under IT Act 2000 - LawBhoomi, https://lawbhoomi.com/role-of-certifying- authorities-under-it-act-2000/.

[3] What is a Digital Certificate? - The Security Buddy, https://www.thesecuritybuddy.com/encryption/what-is-a- digital-certificate/.

[4] Role of Certifying Authorities under IT Act 2000 - LawBhoomi, https://lawbhoomi.com/role-of-certifying- authorities-under-it-act-2000/.

[5] Role of Certifying Authorities under IT Act 2000 - LawBhoomi, https://lawbhoomi.com/role-of-certifying- authorities-under-it-act-2000/.

[6] Role of Certifying Authorities under IT Act 2000 - LawBhoomi, https://lawbhoomi.com/role-of-certifying- authorities-under-it-act-2000/.

[7] Role of Certifying Authorities under IT Act 2000 - LawBhoomi, https://lawbhoomi.com/role-of-certifying- authorities-under-it-act-2000/.

[8] Role of Certifying Authorities under IT Act 2000 - LawBhoomi, https://lawbhoomi.com/role-of-certifying- authorities-under-it-act-2000/.

[9] Information Technology Act, 2000 - BYJU'S, https://byjus.com/free-ias-prep/information-technology-act- 2000/.

[10] Information Technology Act, 2000 - iPleaders, https://blog.ipleaders.in/information-technology-act-2000/.

[11] Information Technology Act, 2000 - iPleaders, https://blog.ipleaders.in/information-technology-act-2000/.

[12] Information Technology Act, 2000 - iPleaders, https://blog.ipleaders.in/information-technology-act-2000/.

[13] About CCA | CCA, https://cca.gov.in/about.html.

[14] Certifying Authorities - Indian Cyber Security, https://www.indiancybersecurity.com/certifying_authorities.php.

[15] Information Technology Act, 2000 - iPleaders, https://blog.ipleaders.in/information-technology-act-2000/.

[16] Information Technology Act, 2000 - iPleaders, https://blog.ipleaders.in/information-technology-act-2000/.

[17] Information Technology Act, 2000 - iPleaders, https://blog.ipleaders.in/information-technology-act-2000/.