Let's Build a Responsible Cyber Society


 

Controller of Certifying Authorities  

under

ITAA(p)-2005  ...a law for the privileged, by the privileged and to protect the privileged.

 

Under ITA-2000, The Controller of Certifying Authorities had been envisaged as the "Apex Authority" to manage the Digital Signature System. The controller was the licensing and monitoring authority for the Certifying Authorities and had quasi judicial powers. He could investigate contraventions, could give decryption orders, interception of communication etc. These powers were intended to monitor the Certifying Authorities and issues arising out of the issue of Digital Certificates. Incidentally Controller was the "Root Certifying Authority" and was also responsible for maintaining the "Repository of Digital Certificates Issued as well as Revoked". The Controller was not however having any authority to adjudicate on the Cyber crimes.

In the new proposal, the responsibility for being the repository has been removed and powers have been given to adjudicate on Cyber Crimes and admit compositions. The net effect is that there is less responsibility but more powers for the Controller

...Naavi


The office of the Controller of Certifying Authorities (CCA) was designed with a high esteem when the ITA-2000 was drafted. He was looked upon as the "Apex Authority" for the Digital Identity System just as the SEBI Chairman or the Election Commission in their respective areas. The appointment was contractual and the first Controller Mr K.N.Gupta was selected after some efforts.

When Mr Gupta's term was completed, the Government did not take the trouble of finding a replacement from outside and proceeded to appoint one of the senior officials of the department in the additional secretary's cadre as the CCA as an additional charge.

By this time NIC had become one of the licensed Certifying Authorities and being one of the departments of the same Ministry, it was considered incorrect and cause of conflict for the CCA to be also an official from the same department. However the Government ignored the objections and proceeded to operate under the CCA who had no independent standing as was envisaged in the Act.

In the proposed amendments one of the responsibilities of the Controller i.e. being the "Repository" of the Digital Certificates has been given up. This responsibility has now been transferred to the corresponding CAs. This responsibility was cast on the Controller as the sole development authority for the "Digital Identity System" in the country. By giving up this responsibility, the CCA has given up an important responsibility envisaged by the Chair.

On the other hand, under the proposed section 80 A, the Controller has taken on the responsibility as the authority for "Compounding of Offences" including the Criminal offences. The powers available earlier to the Controller under Section 69 for interception of communication has however been taken over by the higher officials in the Government.

Thus the Controller's office has been divested of one important responsibility which was necessary for the development of the Digital Signature system and replaced with the power to sit in judgment of offences which was now with the Magistrates... a case of Saying No to Responsibility and Yes to Power.

The much touted hype about Electronic Signatures is nothing but an empty noise since there is no proper alternative to Digital Signature for the time being. Of course we cannot rule out the ingenuity of the officials to approve even a less than ideal authentication system as an approved "Electronic Signature System" which could completely vitiate the "Digital Contract System".

Already, the Ministry had made a mistake in defining "Secured Digital Signature" through an executive notification according to which a Digital Signature applied using a smart card or a crypt key where the private key remains outside the system in which the to be signed document resides was called "Secured Digital Signature". It had already been pointed out by naavi.org that this introduced an anomaly in the Indian Evidence Act since Digital Signatures applied through a Security procedure had a certain privileged evidentiary value which was not available to ordinary digital signatures. As long as no "Security Procedure" had been separately notified, all Digital Signatures were "Secured Digital Signatures". After the definitions, the digital signatures applied without the security procedure could not have the privileged evidentiary status in the Indian Evidence Act. This was actually a weakening of the digital signature system.

Further no thought was spared how the producer of a digitally signed electronic document in a Court could prove if a digital signature had been applied with the use of a secured sytem or otherwise without a new class of digital signatures being introduced by the CAs.

Instead of correcting this lacuna, the Expert Committee has gloated over making the law "Technology Neutral" by replacing the word "Electronic" instead of "Digital" in several places in the Act without addressing the issue of whether any alternate system exists or whether there should be any statutory protection against any untested System to be declared as an "Approved System".

Again a demonstration of the lack of perspective understanding of the problem by the "Expert Committee".. unless there is a motive which we cannot see. If so, the Controller will have the responsibility to certify and approve "Electronic Systems" that can be used concurrently with the PKI based digital signature system.  What will be the process of such approval? .. need to be notified.

[Will continue]

Naavi

September 1, 2005

Copy of the Amendments