Operational Requirements

An investigation into the need for suspension will take place by which the following is carried out:

• Validate the need for suspension and obtaining authorization for the suspension
  • On completion of investigation into need for suspension, either certificate is suspended or reinstated with certificate status as valid.
• On suspension of a certificate.
  • The reason for the suspension is recorded.
  • A CRL (Certificate Revocation List) is immediately generated and published on the Root CA Directory and the NR.
  • The CA to which the certificate refers publishes in a prominent manner a suspension notice on its Web Site and its Certification Revocation List distribution point.
  • CA to which the certificate refers, notifies its End Users of the suspension.
  • A notice containing the Certificate details and the date and time of suspension is issued to the subscriber.

Pending completion of any inquiry ordered by the CCA, no CA whose certificate has been suspended will issue any certificates during this suspension. The suspension of certificates issued by the CCA Root may occur immediately if the suspension has been requested by the authorized signatory of the licensed CA or after an investigation has taken place.

4.4.2 Who can request suspension
The CCA shall action suspension request from an Authorized signatory of the Licensed CA. The CCA, on his own, can also initiate suspension of a certificate.

4.4.3 Procedure for suspension request
When a suspension or revocation is requested by an authorized signatory of a CA, the suspension or revocation request may be submitted through:

• a digitally signed suspension or request verifiable with the public key contained in the certificate to which the request refers to and performance of an off-line request
• a certificate suspension or request physically delivered to CCA by an appropriately authorized person

4.4.4 Limits on suspension period
Certificates issued by the RCAI of the CCA can remain suspended for a maximum period of ten working days. Upon termination or prior to termination of suspension, CCA will determine whether it should be revoked or reinstated as valid.

If on completion of the inquiry, any of the above is established beyond doubt then the certificate may be revoked by the CCA.

Revocation of the certificate of a CA can happen for a number of reasons.

• When a CA applies for a certificate revocation
• When the CCA recognizes that a certificate of a CA was issued in an illegal manner.
• When the CCA recognizes the dissolution of a CA
• When the CCA recognizes that a private key of a CA is lost, damaged, stolen or compromised

4.4.5 Who can request revocation
Revocation request from the following parties can be accepted :

• An Authorized signatory of the Licensed CA
• Controller of Certifying Authorities

4.4.6 Procedure for revocation request
When a revocation is requested by any entity external to the CCA, the revocation request may be submitted through:

• a digitally signed revocation request through the communication of compromise of private key by a CA to the CCA verifiable with the public key contained in the certificate to which the request refers to and performance of an off-line request in accordance with procedures designed by CCA for such purpose.
• a certificate suspension or revocation request physically delivered to CCA by an appropriately authorized person.

In processing a revocation request, the Root CA will:

• Revoke the certificate on the Root CA, record the reason for the revocation, and maintain relevant documentation.
• Generate immediately a CRL (Certificate Revocation List) from the Root CA
• Withdraw the certificate from the CCA Web site and place a prominent revocation notice on its place.
• Issue a notice containing the Certificate details and the date and time of revocation to the certificate subscriber.
• Notify the CA that its certificate has been revoked under the provisions of the IT Act.
• " Publish the revocation on the National Repository.

4.4.7 Revocation request grace period
Revocation requests shall be processed within one working day of having a definitive decision by the CCA to revoke the certificate in accordance with CCA's operational procedures.

4.4.8 CRL issuance frequency
The CCA shall update the CRL within one working day after a valid revocation request is processed and at least every month, even if no changes to the CRL have been made.

4.4.9 CRL checking requirements
A relying party may check the CCA's CRL for determining the CA's certificate status before relying on any certificate issued by the CA.

4.4.10 On-line revocation/status checking availability
The CCA shall provide on-line certificate status checking through publication in NRDC.

4.4.11 Other forms of revocation advertisements available
On suspension and/or revocation of a certificate issued by the RCAI, the CCA will issue advertisement in at least two national newspapers and one vernacular newspaper in the region where the Licensed CA is established.

4.4.12 Checking requirements for other forms of revocation advertisements
No Stipulation

4.4.13 Special requirements regarding key compromise
The CCA is to be notified immediately by a CA in case of a key compromise.

4.5 Security Audit Procedures

4.5.1 Types of event recorded
The minimum audit records of RCAI to be kept include:

• System start-up and shutdown;
• RCAI's application start-up and shutdown;
• Attempts to create, remove, set passwords or change the system privileges of the CA Master Officer, CA Officer, or CA Administrator;
• Changes to keys of the RCAI or any of his other details;
• Changes to Digital Signature Certificate creation policies, e.g. validity period;
• Login and logoff attempts;
• Unauthorized attempts at network access to the RCAI's system;
• Unauthorized attempts to access system files;
• Generation of keys;
• Creation and revocation of Digital Signature Certificates;
• Failed read-and-write operations on the Digital Signature Certificate or Certificate Revocation List (CRL) directory.