National Portal | Home | Site Map | Contact Us

CA's services adminstration processes and procedures

CA Business Practices Disclosure

The Certification Authority discloses its business practices, including but not limited to the following:

General

Identification of each CP and CPS for which the CA issues certificates Community and applicability, including a description of the types of entities within the PKI and the applicability of certificates issued by the CA Contact details and administrative provisions, including:

    * Contact person
    * Identification of Policy Authority
    * Street address
    * Version and effective date(s) of each CP and CPS

Any applicable provisions regarding apportionment of liability Financial responsibility, including:

    * Indemnification by relying parties
    * Fiduciary relationships

Interpretation and enforcement, including:

    * Governing law
    * Severability, survival, merger, and notice
    * Dispute resolution procedures

Fees, including:

    * Certificate issuance or renewal fees
    * Certificate access fees
    * Revocation or status information access fees
    * Fees for other services such as policy information
    * Refund policy

Publication and repository requirements, including:

    * Publication of CA information
    * Frequency of publication
    * Access controls

Compliance audit requirements including:

    * Frequency of entity compliance audit
    * Auditor's relationship to audited party
    * Topics covered by audit
    * Actions taken as a result of deficiency
    * Communication of results

Description of the conditions for applicability of certificates issued by the CA that reference a specific Certificate Policy, including:

    * Specific permitted uses for the certificates if such use is limited to specific applications
    * Limitations on the use of certificates if there are specified prohibited uses for such certificates

CA and/or RA obligations:

    * Notification of issuance of a certificate to the subscriber who is the subject of the certificate being issued
    * Notification of issuance of a certificate to others than the subject of the certificate
    * Notification of revocation or suspension of a certificate to the subscriber whose certificate is being revoked or suspended
    * Notification of revocation or suspension of a certificate to others than the subject whose certificate is being revoked or suspended.

RA obligations, including:

    * Identification and authentication of subscribers
    * Validation of revocation and suspension requests
    * Verification of subscriber renewal or rekey requests

Repository obligations, including:

    * Timely publication of certificates and Certificate Revocation

Lists Subscriber obligations, including:

    * Accuracy of representations in certificate application
    * Protection of the subscriber's private key
    * Restrictions on private key and certificate use
    * Notification upon private key compromise

Relying party obligations, including:

    * Purposes for which certificate is used
    * Digital signature verification responsibilities
    * Revocation and suspension checking responsibilities
    * Acknowledgment of applicable liability caps and warranties

Any applicable reliance or financial limits for certificate usage

Certificate Life Cycle Management

Whether certificate suspension is supported Initial registration, including a description of the CA's requirements for the identification and authentication of subscribers and validation of certificate requests during entity registration or certificate issuance:

    * Types of names assigned to the subject and rules for interpreting various name forms
    * Whether names have to be meaningful or not
    * Whether names have to be unique
    * How name claim disputes are resolved
    * Recognition, authentication, and role of trademarks
    * If and how the subject must prove possession of the companion private key for the public key being provided for a certificate
    * How the subscriber's public key is provided securely to the CA for issuance of a certificate
    * Authentication requirements for organizational identity of subject
    * Authentication of individual identity
    * Required certificate request data
    * How the CA verifies the authority of the subscriber to request a certificate
    * How the CA verifies the accuracy of the information included in the subscriber's certificate request
    * Whether the CA checks certificate requests for errors or omissions

Registration requirements where external Registration Authorities are used, including the CA's procedures for:

    * Validating the identity of external Registration Authorities
    * Authorizing external Registration Authorities
    * Requirements for the external Registration Authority to secure that part of the certificate application, certificate renewal, and certificate rekey processes for which the RA assumes responsibility
    * How the CA verifies the authenticity of certificate request submissions received from an external RA

Certificate renewal, including a description of the CA's procedures for the following:

    * Notifying subscribers of the need for renewal
    * Identification and authentication
    * Renewal request verification

Certificate issuance, including a description of the requirements regarding the following:

    * Issuance of a certificates
    * Notification to the applicant of such issuance
    * Certificate format requirements
    * Validity period requirements
    * Extension field requirements (meaning, what extension fields are honored, and how they are to be populated)

Certificate acceptance, including a description of the requirements regarding acceptance of an issued certificate and for consequent publication of certificates

Certificate revocation, including:

    * Circumstances under which a certificate may or must be revoked
    * Identification and authentication procedures required for revocation requests
    * Procedures used for initiation, authorization, and verification of certificate revocation requests
    * Revocation request grace period available to the subscriber
    * Any variations on the preceding stipulations in the event that the revocation is the result of private key compromise (as opposed to other reasons for revocation)
    * Procedures to provide a means of rapid communication to facilitate the secure and authenticated revocation of:
      (1) one or more certificates of one or more entities;
      (2) the set of all certificates issued by a CA based on a single public/private key pair used by a CA to generate certificates; and
      (3) all certificates issued by a CA, regardless of the public/private key pair used
    * Procedures for notifying the subscriber upon revocation of the subscriber's certificate
    * Whether the external Registration Authority is notified upon the revocation of a subscriber's certificate for which the revocation request was processed by the external RA
    * How and when the subscriber's certificate status information is updated upon certificate revocation

Certificate suspension, including:

    * Circumstances under which a certificate may or must be suspended
    * Identification and authentication procedures required for revocation requests
    * Procedures used for initiation, authorization, and verification of certificate suspension requests
    * How long the suspension may last
    * Circumstances under which the suspension of a certificate may or must be lifted
    * Authorization criteria to request the lifting of a certificate suspension
    * Any variations on the preceding stipulations if the suspension is the result of private key compromise (as opposed to other reasons for suspension)
    * Procedures to provide a means of rapid communication to facilitate the secure and authenticated suspension of:
      (1) one or more certificates of one or mCAoa ,resinglegenerate entities;
      (2) the set of all certificates issued by a CA ;based on a public/private key pair used by a CA to certificates and
      (3) all certificates issued by regardless of the public/private key pair used
    * Procedures for notifying the subscriber upon suspension of the subscriber's certificate
    * Whether the external RA is notified upon the suspension of a subscriber's certificate for which the suspension request was processed or submitted by the external RA
    * How and when the subscriber's certificate status information is updated upon certificate suspension and the lifting of a certificate suspension

 

    * Adequacy of Security policies and implementation
    * Existence of adequate physical security
    * Evaluation of Functionalities in Technology as it supports CA operations
    * Compliance to relevant CPS as approved and provided by the Controller
    * Adequacy of contracts/agreements for all outsourced CA operations
    * Adherence to Information Technolgy ACT, 2000, the rules and regulations thereunder, and guidelines issued by the Controller from time-to-time
 
Root Certificate 2011 Root Certificate 2011 Certificate Revocation Details 2011
Root Certificate 2007 Root Certificate 2007 Certificate Revocation Details 2007
FAQ

How do I get a Digital Signature Certificate? 

Who are the CAs licensed by the CCA? 

more...
What's New?
Contact Details

Controller of Certifying Authorities
Electronics Niketan,
6 CGO Complex, Lodhi Road,
New Delhi - 110003
FAX : 91-011-24369578
info@cca.gov.in
©2008 CCA. All rights reserved.
Best Viewed In: 1024 X 768 		AUDITORS | ADJUDICATING OFFICER | RTI | RFD disclaimer | Terms And Conditions | WebSite Polices | Public Grievances