Science & Technology Policy
Public-Key Cryptography Digital Signature Rules ,2000

PART I

1.Definitions 

For purposes of these rules, and unless the context expressly indicates otherwise: 

(1)“Act” shall mean the Electronic Commerce Act, 1999; 

(2) "affixing digital signature" with its grammatical variations and cognate expressions means affixing any symbol to an electronic record or adoption of any methodology or procedure by a person for the purpose of authenticating a record by means of electronic or digital methods; 

(3)“approved certifying authorities” means the those certifying authorities who have been approved by the Controller to issue certificates for use by public entities or for use in connection with digital signature transactions involving public entities; 

(4)“asymmetric cryptosystem” means a computer algorithm or series of algorithms which utilize two different keys with the following characteristics: 

(a) one key signs a given message; 

(b) one key verifies a given message; and, 

(c) the keys have the property that, knowing one key, it is computationally infeasible to discover the other key; 

(5)“certificate” means a computer-based record which: 

(a) identifies the certification authority issuing it; 

(b) names or identifies its subscriber; 

(c) contains the subscriber's public key; and 

(d) is digitally signed by the certification authority issuing or amending it, and 

(e) conforms to widely-used industry standards; 

(6)“certifying authority” means a person or entity capable of issuing a certificate in respect of electronic transactions, or in the case of certain certification processes, certifies amendments to an existing certificate; 

(7) “controller” means the Controller of Certifying Authorities appointed under sub-section (1) section 4; 

(8)“digital signature”, means a public-key based digital signature 

(9)“hash function” means an algorithm mapping or translating one sequence of bits into another, generally smaller, set (the hash result) such that a record yields the same hash result every time the algorithm is executed using the same record as input; it is computationally infeasible that a record can be derived or reconstituted from the harsh result produced by the algorithm; and it is computationally infeasible that two records can be found that produce the same hash result using the algorithm; 

(10)“key pair” means a private key and its corresponding public key in an asymmetric cryptosystem. The keys have the property that the public key can verify a digital signature that the private key creates; 

(11)“license” means a license granted under Rule 7 of these rules. 

(12)“practice statement” means documentation of the practices, procedures and controls employed by a certification authority; 

(13)“private key” means the key of a key pair used to create a digital signature; 

(14)“proof of identification” means the document or documents required to be presented to an approved certifying authority to establish the identity of a subscriber; 

(15)“public entity” shall mean any ministry or department of the Central Government or the State Government or any authority or body established by or under any law or controlled or funded by the Central or State Government, or any judicial or quasi judicial authority; 

(16)“public key” means the key of a key pair used to verify a digital signature; 

(17)“public-key based digital signature” means a technology for the creation of digital signatures using asymmetric cryptosystem technologies wherein a public key and a private key are utilized to create and verify a digital signature. 

(18)“subscriber” means a person who: 

(a) is the subject listed in a certificate; 

(b) accepts the certificate; and 

(c) holds a private key which corresponds to a public key listed in that certificate. 

2.Terms used in these Rules but not herein defined shall have the same meaning ascribed to such terms in the Act. Terms defined both in these rules as well as in the Act shall, for the purpose of these rules, have the meaning ascribed to them in these rules. 

PART II

STANDARDS FOR PUBLIC KEY CRYPTOGRAPHY 

3.Accepted Technology 

Public-Key Cryptography shall be deemed to be an accepted technology for use by or in connection with any transaction concerning a public entity provided the digital signatures fulfil the following standards: 

(1)The public-key based digital signature shall be unique to the person using it. In this regard a public-key based digital signature may be considered unique to the person using it, if: 

(a) the private key used to create the signature on the document is known only to the signer, and 

(b) the digital signature is created by the transformation of an electronic record using an asymmetric cryptosystem and a hash function such that a person having the initial untransformed electronic record and the signer’s public key can determine whether the transformation was created using the private key that corresponds to the signer’s public key; and whether the initial electronic record has been altered since the transformation was made 

(c) the signer is capable of being issued a certificate to certify that he or she controls the key pair used to create the digital signature, and 

(d) it is computationally infeasible to derive the private key from knowledge of the public key. 

(2)A public-key based digital signature shall be capable of verification. In this regard a public-key based digital signature shall be deemed to be capable of verification if the acceptor of the digitally signed document can verify the document was digitally signed by using the signer's public key to decrypt the message. 

(3)A public-key based digital signature shall be capable of being retained under the control of the subscriber by exercising reasonable care can retain control of the private key and prevent its disclosure to any person not authorized to create the subscriber’s digital signature. 

(4)A public-key based digital signature must be linked to the message of the document in such a way that if the data are changed, the digital signature is invalidated. 

PART III

REGULATION OF CERTIFYING AUTHORITIES 

4.Appointment of Controller and other officers 

(1)The central government may by notification in the Official Gazette appoint a Controller of Certifying Authorities for the purposes of these rules and may also by the same or subsequent notification appoint such number of deputy controllers and assistant controllers as it deem fit. 

(2)The Controller shall discharge his functions under these rules subject to the general control and directions of the Central Government. 

(3)The deputy controllers and assistant controllers shall perform the functions assigned to them by the Controller under the general superintendence and control of the Controller. 


5.Standards for approved certifying authorities
The Controller shall not recognize any certifying authority registered as a legal entity under the laws of India as being an approved certifying authority unless such certifying authority fulfill the following standards: 

(a) the certifying authority consistently utilises accepted technologies of accepted technological standards; 

(b) the certifying authority utilises appropriate computer security systems; 

(c) the certifying authority utilises hardware, software and procedures that are reasonably secure from intrusion and misuse; 

(d) provide a reasonable level of reliability in its services which are reasonably suited for performing intended functions; and 

(e) the certifying authority adheres to security procedures to ensure that the secrecy and privacy of the digital signature are assured; 

(f) the operations of the certifying authority satisfy such other standards as may be prescribed by the Central Government. 

6.License to issue certificates 

(1)Any certifying authority who fulfils the standards set out in Section 6 and any other regulations that the Central Government may prescribe in this regard may make an application, to the Controller,- 

(a) in such form; 

(b) along with the payment of such fees, not exceeding twenty-five thousand rupees; 

(c) along with a certification practice statement; 

(d) along with a certificate stating the practice proposed to be adopted by the certifying authority in identifying applicants for certificates; and 

(e) such other documents as may be prescribed by the Central Government; 

for a license to issue certificates. 

(2)The Controller may, on receipt of an application under sub-section (1) after considering the documents accompanying the application and such other factors as he deems issue the license and recognize the certifying authority as an approved certifying authority, or reject the application. Provided that no application shall be rejected under this sub-section unless the applicant has been given a reasonable opportunity of presenting his case. 

(3)A license granted under this section shall be,- 

(a) valid for such period; 

(b) subject to such terms and conditions, 

as may be specified by regulations. 


7.Renewal of license
An application for renewal of a license shall be,- 

(a) in such form ; 

(b) accompanied by such fees, not exceeding five thousand rupees, as may be prescribed by the Central Government; and 

(c) shall be made not less than forty-five days before the date of expiry of the period of validity of the license. 

Provided that an application for the renewal of the license made no more than forty-five days after the expiry of the license may be entertained on payment of such late fees, not exceeding one thousand rupees, as the Controller may prescribe. No application for renewal of the license shall be entertained if made after forty five days from the date of expiry of the license. 


8.Procedure for rejection of renewal of license
No application for the renewal of a license shall be rejected unless - 

(a) the holder of such license has been given a reasonable opportunity of presenting his case; and 

(b) the Controller is satisfied that - 

(i) any statement made by the applicant at the time of issue or renewal of the license was, or has subsequently been proved to be, incorrect or false in material particulars; 

(ii) the applicant has contravened any terms or conditions of the license or any provisions of this Act, or any rule or order made there under; 


9.Suspension and revocation of license
(1)The Controller may, if he has reasonable cause to believe that an approved certifying authority,- 

(a) has made a statement in, or in relation to, any application for the issue or renewal of a license, which was or has subsequently proved to be incorrect or false in material particulars; or 

(b) has contravened any provisions of these rules, or any regulation or orders made there under 

suspend such license pending the completion of any inquiry ordered by him. Provided that no license shall be suspended for a period exceeding ten days unless the holder thereof has been given a reasonable opportunity of showing cause against the proposed action. 

(2)No approved certifying authority whose license has been suspended shall issue any certificate during the period of such suspension . 

(3)The Controller may, if he is satisfied after making such inquiry as he may think fit that an approved certifying authority has,- 

(a) made a statement in, or in relation to, any application for the issue or renewal of the license, which is incorrect or false in material particulars; 

(b) failed to comply with the terms and conditions subject to which the license was granted; 

(c) failed to maintain the standards specified under rule 5 of these rules; 

(d) has contravened any has contravened any provisions of these rules, or any regulation or order made there under revoke the license. Provided that no license shall be revoked unless the holder thereof has been given a reasonable opportunity of showing cause against the proposed action. 


10.Notice of suspension or revocation of license
Where the license of any approved certifying authority is suspended or revoked, the Controller shall issue a signed notice of the suspension or revocation as the case may be, for publication in all the repositories, websites or other electronically accessible locations where the certificate is published. 


11.Disclosure
(1)Every approved certifying authority shall disclose - 

(a) a certificate which contains the public key corresponding to the private key used by that approved certifying authority to digitally sign certificates issued by such approved certifying authority; 

(b) any certification practice statement relevant thereto; 

(c) notice of the revocation or suspension of its approved certifying authority license if any; and 

(d) any other fact that materially and adversely affects either the reliability of a certificate, which that approved certifying authority has issued, or the approved certifying authority’s ability to perform its services. 

(2)Where in the opinion of the approved certifying authority any event has occurred or any situation has arisen which may materially and adversely affects the integrity of its computer system or the conditions subject to which its certificate was granted, then, the approved certifying authority shall - 

(a) use reasonable efforts to notify any person who is likely to be affected by that occurrence; or 

(b) act in accordance with procedures specified in its certification practice statement to deal with such event or situation. 


12.Recognition of foreign certifying authorities
The Controller may with the previous approval of the Central Government, by notification in the Official Gazette, recognise any certifying authority who is not registered as a legal entity under the laws of India as an approved certifying authority under these rules, subject to such conditions and restrictions as it may by regulation deem fit to impose. 


13.Only approved certifying authorities to issue certain certificates
No certificate issued for use by a public entity or in connection with any transaction concerning a public entity shall be valid or binding on the public entity unless issued by an approved certifying authority. 

14.Notwithstanding anything contained herein, an approved certifying authority shall be free to issue certificates for use by persons who are not public entities or in respect of any transactions that are not related to public entities and no such certificate shall be subject to these rules or deemed to have been issued under these rules. Furthermore, a certifying authority, not being an approved certifying authority, shall be free to issue certificates for use by persons who are not public entities or otherwise that in connection with a transaction related to public entities and any certificates so issued shall not be subject to these rules or deemed to have been issued under these rules. 

15.Approved certifying authority to ensure compliance of the Act, etc. 

Every approved certifying authority shall ensure that every person employed by him complies, in the course of his employment, with the provisions of these rules, or any regulation or order made there under. 


16.Power to delegate
The Controller may in writing authorise the Deputy Controller, Assistant Controller or any officer to exercise any of the powers of the Controller under this Part. 


PART IV
POWERS AND FUNCTIONS OF THE CONTROLLER
17.Functions of Controller
The Controller may perform all or any of the following functions, namely:- 

(a) exercise supervision over the activities of certifying authorities; 

(b) lay down the standards to be maintained by certifying authorities; 

(c) specify the qualifications and experience which employees of the certifying authority should possess; 

(d) specify the conditions subject to which the certifying authority shall conduct its business; 

(e) specify the content of written, printed or visual material and advertisements that may be distributed or used in respect of a certificate and key; 

(f) specify the form and content of a certificate and key; 

(g) specify the form and manner in which accounts shall be maintained by the certifying authorities; 

(h) specify the terms and conditions subject to which auditors may be appointed and the remuneration to be paid to them; 

(i) facilitate the establishment of any electronic system by the certifying authority either solely or jointly with other certifying authorities and regulation of such systems; 

(j) specify the manner in which a certifying authority shall conducts his dealings with his subscribers; 

(k) resolve the conflict of interests involving the certifying authority and its subscribers; 

(l) lay down the duties of a holder of a license to his subscribers with respect to certificates; 

(m) maintain a database containing the disclosure record of every certifying authority containing such particulars as may be specified by regulations, which shall be accessible to public. 


18.Controller to act as repository
(1)The Controller shall be the repository of all certificates issued under these rules. 

(2) The Controller shall: 

(a) utilise computer security systems; 

(b) utilise hardware, software and procedures that are reasonably secure from intrusion and misuse; 

(c) adhere to security procedures to ensure that the secrecy and privacy of the digital signature are assured; 

(d) satisfy such other standards as may be prescribed by the Central Government. 

to ensure that the secrecy and security of the certificates and associated digital signatures are assured. 

(3) The Controller shall maintain a computerised database of all public keys issued by approved certifying authorities for use by a public entity or in connection with any transaction with a public entity. 

(4) The Controller shall make available by publication on a web site or through any other electronic method freely accessible by the public, the public keys issued under these rules. 


19.Power of the Controller to give directions 

(1)The Controller may by order direct an approved certifying authority or any employee of such approved certifying authority to take such measures or stop carrying on such activities as are specified in the order if they are necessary to ensure - compliance with the provisions of this Act or any regulations made there under. 

(2)Any person who fails to comply with any order under sub-section (1) shall be guilty of an offence and shall be liable on conviction to a fine not exceeding rupees two lakhs or to imprisonment for a term not exceeding 3 years or to both. 


20.Directions to assist in decryption
(1)If the Controller is satisfied that it is necessary or expedient so to do in the interest of the sovereignty and integrity of India, the security of the State, friendly relations with foreign States or public order or for preventing incitement to the commission of a cognizable offence for reasons to be recorded in writing, by order, direct any agency of appropriate government to intercept any information transmitted through the computer resource. 

(2)The subscriber shall when called upon by any agency which has been directed under sub-rule (1), extend all facilities and technical assistance to decrypt the information. 

(3)Any person who fails to assist under sub-rule (2) shall be punished with an imprisonment for a term, which may extend to seven years. 


21.Power to investigate contraventions
(1)The Controller or any officer authorised by him in this behalf shall take up for investigation contravention of the provisions of these rules or any regulations made there under. 

(2)The Controller or any officer authorised by him in this behalf shall exercise the like powers which are conferred on Income-tax authorities under Chapter XIII of the Income-tax Act, 1961 and shall exercise such powers, subject to such limitations laid down under that Act. 


22.Access to computers and data
(1)Without prejudice to the provisions of sub-rule (2) of rule 21, the Controller or any person authorised by him shall, if he has reasonable cause to suspect that any contravention of the provisions of these rules or regulations made there under has been committed, have access to any computer system, any apparatus, data or any other material connected with such system for the purpose of searching or causing a search to be made for obtaining any information or data contained in or available to such computer system. 

(2)For the purposes of sub-rule (1) the Controller or any person authorised by him may by order, direct any person having charge of, or otherwise concerned with the operation of, the computer system, data apparatus or material, to provide him with such reasonable technical and other assistance as he may consider necessary. 


PART V
CERTIFICATES 


23.Issue of certificates by an approved certifying authority
(1)Any person may make an application to an approved certifying authority for the issue of a certificate in such form as may be prescribed by the Central Government. 

(2)Every such application shall be accompanied by the proof of identification required by the approved certifying authority as stated in his certification practice statement along with such fee not exceeding Rupees Two Thousand per annum as may be prescribed by the Central Government, to be paid to the approved certifying authority. 

* Provided that while prescribing fees under sub-rule (2) different fees may be prescribed for different classes of applicants. * 

(3)On receipt of an application under sub-rule (1) and after conducting the appropriate investigation of the proof of identification of the subscriber and making such inquiries as it may deem fit, the approved certifying authority may grant the certificate or for reasons to be recorded in writing reject the application: 

Provided that no certificate shall be granted unless the approved certifying authority is satisfied that - 

(a) the applicant holds the private key corresponding to the public key to be listed in the certificate; 

(b) the applicant holds a private key, which is capable of creating a digital signature, 

(c) the public key to be listed in the certificate can be used to verify the digital signature affixed by the private key held by the applicant. 


24.Generating key pair
The approved certifying authority shall generate the key pair whose public key is to be listed in a certificate issued by the approved certifying authority and accepted by the subscriber, using a secure system. 


25.Representations upon issuance of certificate
An approved certifying authority while issuing a certificate shall certify that - 

(a) it has complied with the provisions of these rules and the regulations made there under; 

(b) it has published the certificate or otherwise made it available to the public and that the subscriber has accepted it; 

(c) the subscriber identified in the certificate holds the private key corresponding to the public key, listed in the certificate; 

(d) the subscriber’s public key and private key constitute a functioning key pair; 

(e) if the accuracy of any information in the certificate is not confirmed then a statement to that effect; and 

(f) it has no knowledge of any material fact, which if it had been included in the certificate would adversely affect the reliability of the representations in sub-rules (a) to (d). 


26.Suspension of Digital Signature Certificate
The approved certifying authority which has issued a certificate may suspend that certificate, on receipt of a request to that effect from a person whom the approved certifying authority has verified to be - 

(a) the subscriber listed in the certificate; or 

(b) the person duly authorised to act on behalf of that subscriber if the approved certifying authority is of the opinion that the certificate should be suspended in the public interest: 

Provided that no such certificate shall be suspended for a period exceeding fifteen days unless the subscriber has been given an opportunity of being heard in the matter. 


27.Revocation of a certificate
(1)An approved certifying authority may revoke a certificate issued by it,- 

(a) where the subscriber or any person authorised by him makes a request to that effect; 

(b) upon the death of the subscriber; or 

(c) upon the dissolution of the firm or company, where the subscriber is a firm or a company. 

(2)Without prejudice to the provisions of sub-rule (1) a certifying authority may revoke a certificate which has been issued by it any time, if it is of opinion that,- 

(a) a material fact represented in the certificate is false; 

(b) a requirement for issuance of the certificate was not satisfied; 

(c) the approved certifying authority’s private key or security system was compromised in a manner materially affecting the certificate’s reliability; 

(d) the subscriber is declared insolvent or dead or where a subscriber is a firm or a company which has been dissolved, wound-up or otherwise ceased to exist. 

Provided that no such certificate shall be revoked unless the subscriber has been given an opportunity of being heard in the matter. 

(3)On revocation of a certificate under this rule the approved certifying authority shall communicate the same to the subscriber. 


28.Notice of suspension or revocation
(1)Where a certificate is suspended or revoked by an approved certifying authority, the approved certifying authority shall publish a digitally signed notice of the suspension or revocation as the case may be in all the repositories in which the certificate has been published as specified in the certification practice statement of the approved certifying authority. 

(2)Where one or more repositories are specified, the approved certifying authority shall publish the signed notices of the suspension or revocation as the case may be, in all such repositories. 


PART VI


DUTIES OF SUBSCRIBERS
29.Acceptance of a certificate
(1)A subscriber shall be deemed to have accepted a certificate if he publishes or authorises the publication of the certificate; 

(a) to one or more persons; or 

(b) in one or more repositories; or 

(c) otherwise demonstrates his approval of the certificate. 

(2)By accepting a certificate the subscriber certifies to all who reasonably rely on the information contained in the certificate that: 

(a) the subscriber rightfully holds the private key corresponding to the public key listed in the certificate; 

(b) all representations made by the subscriber to the approved certifying authority and all material relevant to the information contained in the certificate are true; and 

(c) all information in the certificate that is within the knowledge of the subscriber is true. 


30.Control of private key
(1)Every subscriber shall exercise reasonable care to retain control of the private key corresponding to the public key listed in his certificate and take all steps to prevent its disclosure to a person not authorised to create the subscriber’s digital signature. 

(2)If the private key corresponding to the public key listed in the certificate has been compromised the subscriber shall communicate the same without any delay to the certifying authority. 

(3)The approved certifying authority shall, on receipt of a communication under sub-rule (2) suspend the certificate. 

PENALTIES 


31.Penalty for misrepresentation
If any person makes any misrepresentation or suppresses any material fact to the Controller or any approved certifying authority for obtaining any license or certificate as the case may be shall be punished with imprisonment for a term which may extend to two years, or with fine which may extend to one lakh rupees, or with both. 


32.Breach of confidentiality
Save as otherwise provided in these rules or any other law or regulation for the time being in force if any person who, pursuant to any of the powers conferred under these rules or any regulations made there under, has secured access to any electronic record, book, register, correspondence, information, document or other material and discloses such electronic record, book, register, correspondence, information, document or other material to any other person shall be punished with imprisonment for a term which may extend to two years, or with fine which may extend to one lakh rupees, or with both. 


33.Penalty for publishing a certificate false in certain particulars
(1)No person shall publish a certificate or otherwise make it available to any other person with the knowledge that- 

(a) the approved certifying authority listed in the certificate has not issued it; or 

(b) the subscriber listed in the certificate has not accepted it; or 

(c) the certificate has been revoked or suspended, unless such publication is for the purpose of verifying a digital signature created prior to such suspension or revocation. 

(2) Any person who contravenes the provisions of sub-section (1) shall be punished with imprisonment for a term which may extend to two years, or with fine which may extend to one lakh rupees, or with both. 

34.Penalty for failure to furnish information, return, etc. 

If any person, who is required under these rules or any regulations made there under fails to: 

(a) furnish any document, return or report to the Controller, fails to furnish the same, he shall be liable to a fine not exceeding one lakh and fifty thousand rupees for each such failure; 

(b) file any return or furnish any information, books or other documents within the time specified therefor in the regulations, he shall be liable to a penalty not exceeding give thousand rupees for every day during which such failure continues; 

(c) maintain books of accounts or records, fails to maintain the same, he shall be liable to a fine not exceeding ten thousand rupees for every day during which the failure continues. 


35.Offences by companies
(1)Where an offence or contravention under these rules has been committed by a company, every person who at the time the offence or contravention was committed was in charge of, and was responsible to the company for the conduct of the business of the company, as well as the company, shall be deemed to be guilty of the offence or contravention and shall be liable to be proceeded against and punished accordingly. Provided that nothing contained in this sub-section shall render any such person liable to any punishment provided in these rules, if he proves that the offence or contravention was committed without his knowledge or that he had exercised all due diligence to prevent the commission of such offence or contravention. 

(2)Notwithstanding anything contained in sub-section (1), where an offence or contravention under this Act has been committed by a company and it is proved that the offence or contravention has been committed with the consent or connivance of, or is attributable to any neglect on the part of, any director, manager, secretary or other officer of the company, such director, manager, secretary or other officer shall also be deemed to be guilty of the offence or contravention and shall be liable to be proceeded against and punished accordingly. 

Explanation.- For the purposes of this section, - 

(a) “company” means any body corporate and includes a firm or other association of individuals; and 

(b) “director”, in relation to a firm, means a partner in the firm. 


36.Publication for fraudulent purpose
Whoever knowingly creates, publishes or otherwise makes available a certificate for any fraudulent or unlawful purpose shall be punished with imprisonment for a term which may extend to two years, or with fine which may extend to one lakh rupees, or with both.