IT Act 2000

Section 38

Revocation of Digital Signature Certificate

THE STATUTE

Original Text

(1) A Certifying Authority may revoke a Digital Signature Certificate issued by it — (a) where the subscriber or any other person authorised by him makes a request to that effect; or (b) upon the death of the subscriber; or (c) upon the dissolution of the firm or winding up of the company where the subscriber is a firm or a company. (2) Subject to the provisions of sub-section (3) and without prejudice to the provisions of sub-section (1), a Certifying Authority may revoke a Digital Signature Certificate which has been issued by it at any time, if it is of the opinion that — (a) a material fact represented in the Digital Signature Certificate is false or has been concealed; (b) the requirements of this Act or rules or regulations made thereunder have not been complied with; (c) the information in the Digital Signature Certificate is not in accordance with the requirements of this Act; (d) the subscriber has been declared insolvent or dead or where a subscriber is a firm or company, which has been dissolved, wound-up or otherwise ceased to exist; or (e) the private key of the subscriber or Certifying Authority corresponding to the public key listed in the Digital Signature Certificate has been compromised. (3) A Digital Signature Certificate shall not be revoked unless the subscriber has been given an opportunity of being heard in the matter.

Simplified

Section 38 governs permanent revocation of a Digital Signature Certificate — the most serious action in the DSC lifecycle, irreversible unlike suspension under Section 37. The section has two tracks. First, mandatory revocation on subscriber request (including on death or corporate dissolution) — the CA has no discretion to refuse. Second, discretionary revocation by the CA on substantive grounds: material misrepresentation in the certificate, regulatory non-compliance, insolvency of the subscriber, or — most critically — compromise of the private key. Private key compromise is the most common serious ground: if a subscriber's private key is stolen, any signature made with it after the compromise is invalid, and revocation is the only way to protect relying parties from accepting fraudulent signatures. Section 38(3) provides the same due process protection as Section 37(3): the subscriber must be given an opportunity to be heard before revocation — preventing summary revocation without notice. Revoked certificates appear permanently in the CA's CRL and OCSP responses, and relying parties' systems will reject any signature made with a revoked certificate (except signatures made before the revocation, which may be valid depending on the 'at what time was it valid' question).

Legal Evolution

Section 38 was in the original IT Act 2000. The private key compromise ground in Section 38(2)(e) reflects the fundamental PKI security principle that a compromised private key destroys the entire basis of trust in certificates issued against it. The India PKI framework, modelled on international standards, treats key compromise as an emergency requiring immediate revocation.

Key Amendments

Unchanged since 2000 in its core structure.

CCA regulations now require CAs to revoke within specified timeframes after confirmed key compromise.

Cyber Protocol Info

Section Type: ORIGINAL

OffenceN/A (Regulatory — Certificate Lifecycle Provision)

CognizableN/A

Trial AuthorityN/A

Cross-References

37 : Suspension of Digital Signature Certificate 39 : Notice of Suspension or Revocation 73 : Publishing False Digital Signature Certificate 42 : Control of Private Key