Subramaniam Vutha*

Subramanium Vutha sums up his review of the Information Technology Act and the rules relating to certifying authorities – and raises some points we all need to ponder

To complete the review of the Information Technology Act and the certifying authorities rules, here are some thoughts:

Licensing of certifying authorities:
Firstly, Rule 8 which prescribes that no company in which the equity share capital held in the aggregate by non-resident Indians, foreign institutional investors or foreign companies exceeds 49 per cent shall be eligible for the grant of licence, appears against Indian interests. Non-resident Indians and foreign companies can bring in valuable proprietary technology, methodologies and practices. Without a controlling interest, such entities may be reluctant to do so.

Further, cross licensing and collaborative arrangements between Indian and foreign certifying authorities will become increasingly crucial. Therefore, such restrictions on foreign investment may be counter productive. It may be advisable to allow higher foreign equity investments at the very least on a reciprocal basis

Secondly, in the proviso to section 8b(ii), which precludes such non-resident or foreign investment beyond 49 per cent of the CA's equity, there is no reference to a foreign individual, which appears to be by oversight

Issue: What benefits / risks do you see from open entry for foreign CAs?

Secure records and secure digital signatures:
The Act provides for heightened evidentiary value for secure records and secure digital signatures. Section 85B of the Indian Evidence Act has been amended by the IT Act to provide that the court shall presume, unless the contrary is proved, that the secure electronic record has not been altered since the specific point of time to which the secure status relates, i.e., since the prescribed secure procedure has been applied

In the case of secure digital signature, section 85B of the Indian Evidence Act provides that court shall presume, unless the contrary is proved, that the secure digital signature was affixed with the intention of signing or approving the electronic record. The section also indicates that there shall be no presumption relating to authenticity and integrity of a digital signature except where it is a secure digital signature

As distinct from such secure electronic record or secure digital signature, section 67A of the Indian Evidence Act provides for proof as to digital signature and section 73A prescribes the method by which such digital signature may be proved. From a practical point of view, proving a digital signature or electronic record may present significant difficulties until the legal system gets familiar with these terms. Therefore, it would be in the interest of people seeking to conclude electronic contracts to rely on the heightened evidentiary value attributable to secure electronic records and secure digital signature, by using the prescribed procedures

Digital signature certificate:
The Certifying Authorities Rules prescribe the X.509 format prescribed under the ITU recommendations for digital signature certificates.

The X.509 digital signature certificate can either be a version 2 or version 3 but the rules prescribe version 3, which is superior.

Version 3 provides for extensions i.e. additional information, which is not possible in version 2. That is to say, in addition to the name of the certificate holder, her public key, the digital signature of the CA and so on, the version 3 digital signature certificate permits additional information such as the email ID of the CA and the certificate holder or templates of the certificate holder’s photograph or thumb impression. Thus, version 3 permits better security features.

Issue: What additional information should be made mandatory?

Certifying authority policies
Just as the transition from ground transport to air transport brought in the need for new regulations, standards and laws, such as air safety regulations, flight path regulations, air traffic control regulations and so on, the advent of electronic commerce will bring on several new regulations, guidelines and standards, which would have to be strictly adopted and enforced. Similarly, just as air transport extended the reach, safety and convenience of travel and transport, electronic commerce will do the same for trade and commerce. But there is an expanded responsibility to create, adopt and enforce, various policies and procedures, if certifying authorities have to establish themselves as trusted intermediaries in electronic commerce.

Some of the policies, which CAs must create and follow, are:

• Community and application policy which deals with the communities (either geographic market segment or otherwise) which the CA agrees to serve
• Identifying or authentication policies which set out the procedures and methodologies for identifying applicants for digital signature certificates
• Key management policies which deal with the security and use of the CA’s own keys, how these are generated and the restrictions on their use
• Local security policies which govern physical access control, personal credential checking, storage and back-up of records and so on
• Operational policies which deal with the generation, issue, revocation and suspension of the digital signature certificates
  Certification and revocation policies to set out how the CA will certify and / or revoke digital signature certificates and how versions of these will be created and issued from time to time

Therefore considerable discipline will have to be exercised by certifying authorities, subscribers and users of digital service if electronic commerce has to flourish.

Issue:Do you believe CAs should be more extensively regulated? If so, why? What about greater self-regulation?

Please send in your queries and comments to Y. Lobo at yolynd.lobo@tatainfotech,com

He is also a speaker and contributor on intellectual property rights, e-commerce and information technology law issues, and a member of the Confederation of Indian Industries’ working group on TRIPS (Agreement on Trade-Related Aspects of Intellectual Property Rights).