Controller of Certifying Authorities (CCA)
The Information Technology Act, 2000 provides for the Controller of Certifying Authorities(CCA) to license and regulate the working of Certifying Authorities.
The Certifying Authorities (CAs) issue digital signature certificates for electronic authentication of users.
As per Section 18 of The Information Technology Act, 2000 provides the required legal sanctity to the digital signatures based on asymmetric cryptosystems.
The digital signatures are now accepted at par with handwritten signatures and the electronic documents that have been digitally signed are treated at par with paper documents.
The Controller of Certifying Authorities (CCA) has been appointed by the Central Government under section 17 of the Act for purposes of the IT Act.
The Office of the CCA came into existence on November 1, 2000.
It aims at promoting the growth of E-Commerce and E- Governance through the wide use of digital signatures.
The Controller of Certifying Authorities (CCA) has established the Root Certifying Authority (RCAI) of India under section 18(b) of the IT Act to digitally sign the public keys of Certifying Authorities (CA) in the country.
The RCAI is operated as per the standards laid down under the Act.
The CCA certifies the public keys of CAs using its own private key, which enables users in the cyberspace to verify that a given certificate is issued by a licensed CA.
For this purpose it operates, the Root Certifying Authority of India(RCAI).
The CCA also maintains the Repository of Digital Certificates, which contains all the certificates issued to the CAs in the country.
Current Issues With SSL
SSL (Security Sockets Layer) certificates are used to encrypt websites and to make sure that browsers know that a website is not being modified or impersonated by attackers.
Browsers know to trust these certificates if they are issued by a certifying authority that is in turn trusted by a ‘root certifying authority’.
The government operates a root certifying authority that is legally valid under Indian law — the Root Certifying Authority of India, set up in 2000 under the CCA
But the certificates issued under its purview are largely not recognised by Web browsers.
That is India does not have a root certifying authority trusted by major browsers such as Google Chrome, Mozilla Firefox and Microsoft Edge.
This leading to Indian government and private websites to purchase SSL certificates from foreign certifying authorities.
This follows at least one major security lapse linked to an Indian certifying authority.
One CCA-approved organisation — the National Informatics Centre (NIC), which hosts and maintains several Union and State Government websites — has had a contentious history as far as being trusted by browsers goes.
In July 2014, operating systems such as Windows and web-browser developers for Google Chrome and Firefox stopped trusting India’s CCA in their ‘root store,’ a repository of trusted root certifying authorities, after the NIC appeared to issue fraudulent certificates to websites.
The CCA revoked NIC’s authorisation for issuing most SSL certificates, but operating systems and browsers still do not have RCAI-approved authorities in their trust stores.
Recently in news
Cash prizes amounting to ₹3.4 crore are being promised to developers who help create an indigenous Indian Web browser “for the world”, the Ministry of Electronics and Information Technology announced.
An important caveat is that browser ideas entered into this competition will have to trust the Controller of Certifying Authorities (CCA).
COMMENTS