Subramanium Vutha*

In the fifth article of a series on the internet, Subramaniam Vutha discusses the implications of the rules relating to certifying authorities in the new IT Act. We welcome readers' participation in this forum

The Information Technology Act, 2000 was a major step ahead for India. But, it is the rules under the Act which will enable implementation. This article comments on one such set of rules -- The Information Technology (Certifying Authorities) Rules, 2000.

Key Role of CAs
To make e-commerce possible by using encryption measures (public key encryption and digital signatures), the Information Technology Act seeks to create an environment of statutes, rules, regulations and agencies which, together with the physical infrastructure and security devices, will constitute the "Public Key Infrastructure" (PKI).

The certifying authorities (CAs) are key players in public key infrastructure. They will attest to the authenticity of the public keys (PKs) of their subscribers, that is, the persons who wish to engage in e-commerce using digital signatures {DSs} to authenticate their electronic records or transmissions. The certifying authorities will typically provide assurance that the public key provided by or in relation to a person indeed belongs to that person. This is done through the issue of digital signatures to subscribers who apply for such certification.

The Information Technology (CA) Rules
While a full text of the rules is available at www.mit.gov.in, here are some excerpts with some comments and clarifications:

Licensed Certifying Authorities (LCAs)
Licensed certifying authorities are entities licensed by the controller of certifying authorities appointed under the IT Act, with a license to issue digital signatures certificates (DSCs). Unlike certain other countries, such as Singapore, there is no scope in India for unlicensed certifying authorities. In certain countries subscribers will have a choice of seeking digital securities certificates from licensed CAs or going, instead, to unlicensed but reputed CAs for their DSCs.

CAs, the virtual notaries
Several legal commentators have compared the role of the CAs to those of notaries in the physical world. There are great similarities. For example, notaries administer oaths for the purpose of affidavits. They also identify and attest to the identity of signatories of important documents. CAs play a similar role in the cyber world with regard to e-commerce.

Digital signatures (DSs)
Rules 3,4 and 5 describe the role, creation and verification of digital signatures. While these rules are useful for an understanding of digital signatures, it would be more useful to provide diagrams and illustrations to highlight the manner in which digital signatures are created and verified. Even the Indian Contract Act of 1872 uses illustrations to highlight key features of contract law

(For diagrams on how public keys and digital signatures work, please see an earlier article in this forum, Internet effects IV.).

	Individual citizens of India qualify (with a capital of Rs.5 crore). Foreign individuals are barred. This eliminates many non-resident Indians who can bring capital, technology and expertise to this critical component of PKI.
	Companies with more than 49 per cent of the capital held by NRIs and foreign entities are also barred from licensing. This again eliminates successful Indians who reside abroad and who wish to network with their homeland by investing in creation of CAs.
	e-commerce will largely be driven by cross-border trade. Reciprocal openness should, therefore, be the key to growth in India. Even the IT Act recognises this by providing for recognition of foreign certifying authorities. Therefore, such equity restriction may not be in India's best interests.
	Where a firm or company is a specialised CA set up recently, the net worth requirements of the entity may be satisfied by reference to the net worth of the partners or majority shareholders. Such majority shareholders may only transfer their shares as and when the firm or the company itself attains the requisite net worth. Given the need to encourage or at least facilitate mergers, amalgamations and collaborations worldwide, it would be even more useful to permit transfer of the shares by such majority shareholders to equally qualified net worth entities.

Location facilities
Rule 9 provides that the infrastructure associated with the operations and management of DSCs should be installed in India. In an age where IT-enabled services are flowing to India to take advantage of India's trained and educated labour force, there is no need to impose such restrictions. Given the rising dollar costs and the significant customs duties still prevailing, the cost of infrastructure in India is still too high. Therefore, companies should be free to tap into infrastructure abroad (especially in view of collaboration possibilities and the rapid obsolescence of computer systems) so that Indian CAs can get the best of both worlds.

Certification practice statements (CPSs)
The CPS is a statement of how a CA will issue and manage DSCs. It details the standards and obligations a CA will undertake. The CPS will provide not merely the assurance which e-commerce participants will require, but will also provide the necessary quality differentiators for CAs in a competitive market.

Conclusion
In the next article, we will look at cross-certification, security guidelines and possible liability issues for certification authorities.

Please send in your views and comments to yolynd.lobo@tatainfotech.com

He is also a speaker and contributor on intellectual property rights, e-commerce and information technology law issues, and a member of the Confederation of Indian Industries’ working group on TRIPS (Agreement on Trade-Related Aspects of Intellectual Property Rights).