Section 18

Section 18 defines the functional mandate of the Controller of Certifying Authorities (CCA) — the apex regulatory authority for India's Public Key Infrastructure (PKI). The CCA sits within the Ministry of Electronics and Information Technology (MeitY) and its Section 18 functions collectively establish the Controller as a comprehensive regulator across the entire CA ecosystem. The functions span three broad categories. First, standard-setting and licensing conditions: the Controller specifies technical standards (clause c), staff qualifications (clause d), business conditions (clause e), certificate formats and key requirements (clauses f and g), and accounting requirements (clause h). These form the foundation of what a CA must do to receive and retain a licence. Second, supervisory and enforcement functions: the Controller exercises direct supervision over CA activities (clause a), certifies the public keys of CAs themselves within the Root CA hierarchy (clause b), regulates multi-CA electronic systems (clause j), and maintains a public disclosure database of every CA (clause n). The public disclosure database is particularly important for relying parties: anyone can check a CA's compliance record and disclosure status. Third, subscriber-protection functions: the Controller specifies how CAs must deal with subscribers (clause k), resolves conflicts between CAs and subscribers (clause l), and lays down CA duties (clause m). The audit function under clause i — specifying auditor terms and remuneration — gives the CCA control over the independence of CA auditors, preventing CAs from appointing compliant auditors to rubber-stamp their practices. Section 18 should be read alongside Section 19 (recognition of foreign CAs) and the CCA's subordinate regulations to understand the full regulatory architecture.