|
Overview
This CPS provides information that describes the practices employed by the Controller of Certifying Authorities in operating the RCAI and NRDC services.
The RCAI is responsible for:
- Issue of License by means of an X.509 certificate
- Digitally signing the public key of the Licensed CA
- Generating CRLs for the licenses issued
The NRDC is responsible for:
- Publishing digital signature certificates and CRLs issued by the RCAI
- Publishing digital signature certificates and CRLs of subscribers issued by all Licensed CAs
The CCA issues Licenses to Certifying Authorities under section 24 of the IT Act, after duly processing their applications as provided for under the Act. This process includes examining the application and accompanying documents as provided for in sections 21 to 24 of the IT Act, and all the Rules and Regulations there under; approving the CPS; auditing the physical and technical infrastructure of the applicants through a panel of auditors maintained by the CCA. The CCA can suspend or revoke Licenses in accordance with the provisions of sections 25 and 26 of the IT Act. The CCA also approves changes in the CPS, if any, of the CAs. CCA also receives the periodic audit reports from all the Licensed CAs, and proposes action as provided for under section 18 of the IT Act and Rule 31 of the Rules under the Act. The CCA operates the RCAI under section 18(b) and NRDC under section 20 of the IT Act.
The structure of this CPS is based on the Internet X.509 PKI Certificate Policy and Certificate Practice Framework (RFC 2529) circulated by the CCA as part of its Guidelines issued on 9 July, 2001 vide No. 1(6)/2001-CCA. This CPS covers the practices followed by the CCA for the procedures related to the License/certificate application, issuance, use, validation, suspension, revocation and their expiry, as well as the operational maintenance of the RCAI and NRDC. This CPS is referred to as the "Root Certifying Authority of India CPS".
This CPS is subject to a regular review process that strives to take into consideration developments in international PKI standardization initiatives, development in technology and information security, as well as other relevant issues
1.2 Identification
This document is the Certification Practice Statement of the Root Certifying Authority of India. RCAI has assigned following OID to this document
|
OID: 2.16.356.100.2
|
|
Joint - ISO - ITU-T Assigned Country Code : India
|
2.16.356
|
|
CCA
|
100
|
|
CPS
|
2
|
RCAI will also issue OIDs to licensed CAs. The CAs will then choose to assign OIDs for different purposes under this scheme.
1.3 Community and Applicability
The CCA PKI community comprises all the Licensed CAs and their subscribers. The Licensed CAs are issued certificates digitally signed by the RCAI of the CCA and hence specifically this CPS shall apply to all the Licensed CAs. At the apex level, the Department of Information Technology and the CCA are also members of this PKI community. CCA, through its RCAI and NRDC, is at the hub of trust in electronic environment.
1.3.1 Ministry of Communications and Information Technology
The Ministry of Communications and Information Technology is the ministry of the Government of India under whose administrative control the office of the CCA functions. This ministry is responsible for policy on E-Commerce and E-Governance, as also on the IT Act in particular and cyberlaws in general. It is also responsible for certain practices and procedures, and standards under the IT Act.
1.3.2 Controller of Certifying Authorities
The CCA regulates the CAs in the country under various sections of the IT Act. It discharges its responsibilities in the PKI regime in the country. Towards this end, it operates the RCAI and NRDC. The following acts are performed by the CCA:
- It follows procedures and norms laid down under the Act to issue a license to a CA.
- It operates the RCAI to certify the public keys of CAs by digitally signing them thereby making available their licenses in the electronic world for verification by any user.
- It operates the NRDC containing all the PKCs and CRLs issued by all the CAs in the country.
- It ensures that alternate mechanisms are put in place for a CA whose certificate/license has been revoked by it.
- It maintains a Panel of Auditors.
- It arranges audit for first time CA Applicant.
- It receives periodic audit report from CAs.
- It provides date and time stamping for all the certificates issued by it.
- It maintains database of CAs.
- It receives disclosure record of all CAs.
- It assigns unique OIDs to all entities in the PKI regime in the country.
- It organizes other digital signature certification related practices.
The CCA has constituted the following forums as advisory groups to advise it on PKI matters:
|
