IT Act 2000

Section 30

Duties of Certifying Authorities

THE STATUTE

Original Text

Every Certifying Authority shall — (a) make use of hardware and software that is secure from intrusion and misuse; (b) provide a reasonable level of reliability in its services which are reasonably suited to the performance of intended functions; (c) adhere to security procedures to ensure that the secrecy and privacy of the electronic signatures are assured; (d) be the repository for all Electronic Signature Certificates issued under this Act; (e) publish information regarding its practices and Electronic Signature Certificates in accordance with regulations made by the Controller; (f) observe such other standards as may be specified by regulations.

Simplified

Section 30 sets out the operational obligations of licensed Certifying Authorities — the day-to-day standards they must maintain to keep their licence and ensure the integrity of India's digital signature ecosystem. The duties cluster into three areas. First, technical security: CAs must use hardware and software secure from intrusion (clause a), maintain reliable services (clause b), and apply security procedures protecting electronic signature secrecy (clause c). In practice this means mandatory use of FIPS 140-2 certified Hardware Security Modules for CA private key storage, redundant infrastructure with documented disaster recovery, intrusion detection systems, and regular third-party security audits. Second, repository and disclosure duties: each CA must maintain a repository of all certificates it issues (clause d) and publish its practices and certificate information per CCA regulations (clause e). The published document — the Certification Practice Statement (CPS) — is the CA's public commitment to its security practices, liability limits, and subscriber terms. Relying parties and subscribers can inspect the CPS to understand what assurances the CA provides. Third, compliance with CCA standards: CAs must observe any additional standards specified by CCA regulations (clause f), which have included OCSP implementation, annual audit requirements, and incident reporting timelines.

Legal Evolution

Section 30 duties were modelled on IETF PKI standards (RFC 3647) and international CA practice. The CCA has updated its regulations over time to align with CA/Browser Forum Baseline Requirements — the global standard for publicly trusted CAs. Annual audits by CCA-approved auditors became mandatory, and requirements for HSM certification levels were tightened after global CA security incidents in 2011.

Key Amendments

2008 Amendment updated 'digital signatures' to 'electronic signatures' — broadening CA duties to cover all Section 3A authentication methods.

CCA regulations progressively raised the security bar — HSM requirements, OCSP implementation, and mandatory incident reporting added over time.

Cyber Protocol Info

Section Type: ORIGINAL

OffenceN/A (Compliance Obligation — non-compliance may result in licence suspension/revocation)

CognizableN/A

Trial AuthorityN/A

Cross-References

21 : Licence to Issue Electronic Signature Certificates 25 : Suspension of Licence 35 : Certifying Authority to Issue Electronic Signature Certificate