|
General Provisions
2.1 CCA Obligations
2.1.1 CCA obligations
2.1.1.1 RCAI shall
- Operate as an offline Root.
- Issue License in the form of a certificate to the CAs.
- Revoke license on a valid request and update CRL within a maximum of 6 hours of the revocation.
- Issue and publish digital signature certificates for all keys used by Licensed CA and CRLs
- Provide accurate Information
- CA License information
- Suspension or revocation of a CA License
- Cancellation of a CA License
- Transfer or merger of a CA
- Suspension or revocation of a PKC
- Conduct signing operations only on working days. No signing operations will be carried out on Saturday, Sunday or public holidays.
- Shall neither send nor receive any encrypted communication.
2.1.1.2 The National Repository Obligations
- The NRDC shall ensure operation of 7 days a week, 24 hours a day access to the NRDC. Planned exceptions to the 24x7x365 availability will be notified on CCA's web site. These are:
- Monthly emergency power off tests
- Yearly business continuity test
CCA provides access to the NRDC, enabling subscribers and the relying parties to search CA's and end-users certificates, suspension and revocation list of certificates through information and communication networks.
CCA also maintains a separate directory which gives information on the licensed CAs and the revocation list i.e. the Authority Revocation List (ARL). The mechanisms for NRDC access include
- X.500 Directory Server System that is accessible through the Lightweight Directory Access Protocol (LDAPV3)
- Availability of the information through the website of the CCA - cca.gov.in.
- Access control mechanisms when needed to protect repository information as described in later sections
2.1.1.3 Measures on Vulnerability of Private Key
CCA revokes its self-signed certificate when CCA recognizes that its private key has been compromised. It then creates a new key pair for signing, issues its self-signed certificate, and issues signed certificates for all the CAs using its new signing private key. CCA notifies this to all the CAs so as to enable them to guarantee the safety and trustworthiness in the management under this CPS.
CCA, when informed of the compromise or vulnerability of the private key of a CA, revokes the certificate issued to the CA and immediately notifies this through its ARL so as to enable everybody to be aware of the event under this CPS.
2.1.2 Licensed CA Obligations
A CA that has been issued a License by the CCA under the IT Act, 2000, to act as a CA, shall comply with the terms and conditions of the License set forth in the Regulations. The Licensed CA shall ensure compliance with its approved CPS
2.1.2.1 Providing and Notifying Accurate Information
A Licensed CA has to notify its subscribers and the relying parties about the information as given below which can affect the trustworthiness or validity of a certificate in order to enable anybody confirm whether it is as per the provisions of the IT Act:
- CA License
- CPS of the CA, including changes
- Certificate suspension and revocation practice of CA
- Cancellation of CA License
- Transfer or merger of CA with another entity
- Information on a subscribers certificate
- Certificate suspension and revocation practice of a subscriber
- Disclosure record as required under Section 34 of IT Act, 2000
- Other certification practice related information.
2.1.2.2 Protecting Private Key
The Licensed CA must create its own key pair in a secure way using a trustworthy Hardware Security Module as stipulated in Regulations. It will manage its private key securely in accordance with the procedures mandated under the Act, Rules and Regulations.
When creating a subscriber's key pair, on subscriber's request, a CA must create it in a secure way using a trustworthy software or hardware and distribute the private key securely to the subscriber. Upon request by a subscriber, a CA shall make available software for generation of his key pair at subscriber's end. (No trace of the private key would be available in Hardware or software of CA. The private key of the subscriber would not be known to the CA at any time).
2.1.2.3 Using a Certified Private Key
A CA shall use only those private keys in its operations, the public keys corresponding to which have been certified by the CCA.
2.1.2.4 Compromise of Private Key
As soon as a CA realizes that any of its private keys has been compromised, it shall immediately report the matter to the CCA, revoke the certificates issued with that key and update its CRL. It will suspend its self-signed certificate corresponding to that key pair. It shall securely generate another key pair, and get the public key certified by the CCA.
2.1.3 Subscriber Obligations
Subscribers who receive certificates from licensed CAs shall be required to comply with the requirements set forth in sections 40 to 42 of the IT Act, and the Rules there under.
2.1.4 Relying Party Obligations
This CPS does not specify what steps a relying party should take to determine whether to rely upon a certificate. The CCA, however, has mandated that the CAs shall make available their digital signature certificates that have been signed by the CCA for access by any relying party. They will also make available the tools necessary for performing the trust path creation, certificate mappings, for validation of their public keys with the help of public key of CCA by the relying parties. The CCA shall also enable PKCs of CAs that have been signed by it for access by any subscribers and relying parties.
In general, a Relying party has to understand the purpose of a certificate, its validity period, utilization range, use and trustworthiness prior to using the same. It has to ascertain from the CRLs that the certificate has not been revoked.
|
