Controller Of Certifying Authorities
Section 71 of IT Act stipulates that if anyone makes a misrepresentation or suppresses any material fact from the CCA (Controller of Certifying Authorities) or CA (Certifying Authorities) for obtaining any DSC (Digital Signature Certificate) such person shall be punishable with imprisonment up to 2 years or with fine up to one lakh rupees or with both.
i. The guidelines issued by the Controller of Certifying Authorities are to be strictly followed by CAs. Unless and otherwise the date of implementation is specified, the effective date of implementation of guidelines will be from the date of publication on the website of Office of CCA. The changes due to these guidelines should be referred to or incorporated in the subsequent revision of CPS of CAs.
ii. The following text should be part of DSC application form Section 71 of IT Act stipulates that if anyone makes a misrepresentation or suppresses any material fact from the CCA or CA for obtaining any DSC such person shall be punishable with imprisonment up to 2 years or with fine up to one lakh rupees or with both.
iii. DSC application form can be generated by CA based on the verified information held in eKYC account maintained by CA as per section 5 after obtaining the two factor authentication of the applicant . In the absence of the electronic signature (eSign) on the electronic DSC application form by applicant, ink signature of DSC applicant on a printed DSC application form is required.
iv. CAs should put in measures to ensure that email addresses that are included in Digital Signature Certificates (DSC) are unique to the DSC applicant. Provisions can be made for issuance of multiple DSC with a single email Id where it is established that these multiple DSCs are being issued to a unique DSC applicant.
v. CA should put procedure in place to ensure that no Class 2 or Class 3 individual Signing DSCs are issued in cases where the key pair has not been generated on a FIPS 140-1/2 level 2 validated Hardware cryptographic module.
vi. In respect of Class 1 certificate, if the subscriber prefers to use Non FIPS 140-1/2 Level 2 validated Hardware Cryptographic module/ Software token, the corresponding risk should be made known to the DSC applicant and an undertaking should be taken to the effect that the DSC applicant is aware of the risk associated with storing private keys on a device other than a FIPS 140-1/2 Level 2 validated cryptographic module
vii. A list of approved cryptographic device manufacturers / suppliers and information relating to their FIPS 140-2 Level 2 validated tokens must be published on the website of the CA.
viii. The application forms, supporting documents and all other verification information including Video Recording and details of telephonic verification shall be preserved and archived by CAs for a period as mentioned in the IT CA rules, 27. Archival of Digital Signature Certificate is from the date of expiry of the Digital Signature Certificate.
ix. For the purpose of DSC application to CA(paper), all signatures including DSC applicant, attestation and authorisation should be preferably with blue-ink .
x. In case applicant's signature is different from that in ID Proof, a physical verification needs to be carried out.
xi. In the case of applicant is unable to sign due to disability, paralysis, or other reasons, the DSC issuance should be through eKYC verification.
xii. Power of attorney is not allowed for the purpose of DSC application to CA and Issuance of DSC.
xiii. In case of paper based application form , the applicant should affix signature covering Photo and application form
xiv. A CA may ask for more supporting documents, if they are not satisfied with the documents that have been submitted.
xv. The inspection and approval of physical DSC application form should be carried out by a trusted person of CA. Such approval should be clearly indicated on the physical DSC application form in the form of ink signature of trusted person of CA along with name, designation and date. In the case of electronic DSC application form, electronic approval should be with the Digital Signature of trusted person only.
xvi. CA should make sure that the trusted person' roles and responsibilities should not be delegated to or controlled by anyone else. All the CA Verification Officers should be employees of the CA and should have undergone training by CA in respect of verification.
xvii. Incomplete application forms should not be accepted by the CA. CA SHALL NOT accept any Digital signature certificate application forms that do not meet the requirements mentioned in the Identity Verification Guidelines. CA SHALL look for any indication of alteration or falsification in application or supporting documents.
xviii. Application form along with the supporting documents must be available for inspection at CA premises with in 30 days of issuance of DSC. In the case of lost DSC application form, the same should be informed to office of CCA within 45 days of issuance with the report of action taken.
xix. DSCs shall be issued by CAs only after the application form (with ink signature) and supporting documents (duly attested) have been physically received and verified at the CA premises/Verification Office.
xx. CAs , for issuing personal DSCs, should mandatorily provide mechanism to apply for DSC directly to CA through their web interface.
xxi. For personal and organisational person DSCs, a letter/certificate issued by bank containing the DSC applicant's information as retained in the Bank database can be accepted. Such letter/certificate should be certified by the Bank Manager. Any information which is required to be part of the DSC but is not a part of such certified letter should be verified by CA. Mobile verification (all applications) and Video Verification will still be required to be done prior to issuance of DSC by CA.
xxii. The eKYC OTP classes of certificates can be used for signing of electronic DSC application form applied from DSC applicant's banking account.
xxiii. In the case of Personal/Organisational Person Digital Signature Certificate issuance (Class 1, Class 2 and Class 3), CA should directly invoice to the DSC applicant or applicant’s organisation. CA should carry out periodic reconciliation of invoices raised for DSC issuance with corresponding DSC issued to subscriber. Copy of the invoices issued to DSC applicant should be preserved by CA.
xxiv. For all categories of DSC applicants, it is mandatory to provide either PAN or Aadhaar Number. In the case of PAN or Aadhaar Number not having been issued to a DSC applicant, CA should issue DSC only after obtaining an undertaking from the DSC applicant stating the following.
“I hereby declare that neither PAN nor Aadhaar Number has been issued to me"
xxv. Physical verification of DSC applicant by CA is mandatory prior to issuance of Class 2 & Class 3 DSC.