Section 31

Section 31 imposes three substantive operational obligations on every Certifying Authority. First, the hardware and software used for certificate issuance must not be encumbered by third-party licences or patents that could interfere with the CA's operations, and must conform to standards specified by the Controller. This prevents a situation where a CA's critical infrastructure is subject to a software licence that could be revoked, or a patent that could be enforced to disable certificate issuance — either event would threaten the reliability of all certificates the CA has issued. Second, the CA must ensure that every subscriber is made aware of their duties and obligations under the IT Act — principally the private key control and notification obligations under Sections 40A and 42. This makes subscriber awareness a regulatory compliance obligation for the CA, not just a contractual best practice. Third, the CA must publish information about its practices and Electronic Signature Certificates in a repository specified by the Controller. In PKI practice, this publication takes the form of a Certification Practice Statement (CPS) — a detailed document describing the CA's technical standards, identity verification procedures, certificate management practices, and security policies. The CPS is the relying party's primary source of information about what a CA's certificates represent and how to rely on them. Section 31's CPS publication obligation makes transparency a legal requirement, not merely an industry standard.