Centre for Internet & Society

The Department of Electronics & Information Technology, Ministry of Communications & Information Technology responded to a right to information (RTI) application filed by Saket Bisani on behalf of the Centre for Internet & Society on July 13, 2012 through notification No. 14(110)/2012-ESD, dated October 3, 2010.

No. 14(110)/2012-ESD
M/o Communiciations & Information Technology
Department of Electronics & Information Technology
Electronics Niketan, 6, CGO Complex
New Delhi-110003

Dated:3.10.2012

Subject: RTI application received from Shri Saket Biswani

With reference to your RTI application dated 13.7.12 requesting for the following information.

Question

a) Please provide me a list of the dates of each meeting of the CRAC held from October 18, 2000 till July 13, 2012?

b) Please provide me copies of the minutes of every meeting held by the Cyber Regulation Advisory Committee from October 18, 2000 till July 13, 2012.

c) Provide me the list of all policy decisions that the CRAC has advised the Central Government on under section 88(3) (a) of the Information Technology.

d) Provide me a list of all policy decisions that the CRAC has advised the Central Government on under section 88(3)(a) of the Information Technology Act, 2000.

The information as received from the custodian of the information is placed below:

Answer

a) The meetings of CRAC were held on 6th March, 2001 and 17-18 March, 2001.

b) Minutes of these two meetings of CRAC are attached.

c) No such advice was given by CRAC to DeitY under section 88(3)(a).

d) Information is attached.

Kaushik Signature

(A.K. Kaushik)
Additional Director & CPIO
(E-Security & Cyber Laws)

To: Shri Saket Bisani
No. 194, 2nd 'C' Cross,
Domlur 2nd Stage
Bangalore-560 071

Minutes of the First Meeting of the Cyber Regulation Advisory Committee (CRAC) held on March 6, 2001, at Electronics Niketan, under the Chairmanship of Hon’ble Minister* (IT) Shri Pramod Mahajan.

(List of Participants enclosed as Annexure-A)

  1. The chairman welcomed the participants to the First Meeting of the Committee. In his opening remarks he hoped that the Committee would play a constructive role in the implementation of the Information Technology Act.
  2. While introducing the Agenda (circulated ahead of the meeting), Controller of Certifying Authorities (CCA) made a short presentation on proposed "Regulation.; under section 89 of the IT Act" consisting of 18 proposed Regulations, Smart Card as token carrying Keys, and various suggested Amendments to the IT ACT 2000.
  3. During the ensuing discussions, participants sought some time to study and collate associated inputs from their respective colleagues/specialists before offering any concrete suggestions/recommendations. Chairman agreed to the suggestions and postponed the meeting to 11:00 AM on the March 17, 2001 at the same venue. Based on the recommendation of Secretary (IT), members were requested to forward their inputs, if any, through e-mail within a weeks time to the following:

Meeting ended with a vote of thanks to the Chair.

Minutes of the Second Meeting of the Cyber Regulation Advisory Committee (CRAC) held on 17-18 March, 2001 at Electronics Niketan, New Delhi under the Chairmanship of Hon'ble Minister (IT), Shri Pramod Mahajan.

(List of Participants enclosed as Annexure-A)

  1. The chairman welcomed the participants to the second meeting of the Committee to consider further the draft regulations proposed by the Controller of Certifying Authority (CCA).        '    " ~
  2. During the ensuing discussions, following general recommendations/decisions were arrived at governing the overall formulation of the regulations that are necessary to bring about infrastructure facilitating activities envisaged under the IT Act 2000:

a)  Any regulation to be framed by the Controller draws its authority only from Section 89(2) of the Act. Moreover,    such regulations should complement the Rules already framed under the Section 87 of the Act.

b) To keep pace with the changing technology and standards, CCA may publicly notify/modify necessary specifications of technology, standards and procedures at regular interval (say, January of every year). Moreover, to adhere to the "principles of minimal governance", if any particular necessity emerges for inclusion of newer manifestations of any existing standard/technology/procedure, Controller should respond within ninety (90) days after receiving any specific request in writing, failing which it will deemed to have obtained his concurrence.

c) The commercial practices/interests may form the essential pedestal for the certification process. Aspects of cross-certification may preferably be left to the purview of the concerned market forces. However, the necessary interoperability will essentially be "market-driven" and not "authority-driven". This will also ensure that formulated rules and regulations stay in tune with market realities.

d) Strict adherence to open standards should be ensured to avoid emergence of monopoly of any kind.

e) Considering cost sensitiveness of the requisite digital signature certificate, families of technologies varying in convenience, reliability, availability, robustness, etc. may be allowed to inter-operate. However, CCA may undertake public awareness campaign to promote desirable best practices from time to time.

f)  The minimal regulations facilitating activities envisaged in the Act is desirable. Some of the proposed provisions can also be ensured in the form of "terms & conditions" governing the operations of Certifying Authorities.

g)   Emergence of guidelines governing smooth functioning may be better left to publications brought out by industry associations, public-minded professionals etc. Formulating rules and regulations in these regards should be minimal.

3. After framing the draft compilation of the requisite regulations in accordance with the conventional legal form in terms of content as well as structure with the assistance of the Ministry of Law, the regulations may be brought to the Ministry of Information Technology for approval.

4 The Committee considered the 18 regulations proposed in Agenda Item No.1 and the statement reproduced below contains the decision taken against each proposal.

SIItemConclusions
1 Regulation 1
Standardising on two key-pairs for PKI in the country.
Key-pair generation for subscribers by CAs.
Regulation not required.
Encryption Key pair not part of the IT Act.
Already covered under Rule 3, 4 & 5 of notified CA Rules.
Subscriber should be at liberty to bring his key pair that CA may verify before acceptance. (Section 40 of the Act)
2 Regulation 2
Encryption key-pair of subscribers to be maintained by CAs in a database and made available to enforcement and law agencies under directions of the Controller.
Regulation not required.
IT Act is silent regarding encryption.
3 Regulation 3
Disclosure Record of CA.
Disclosure may be done every six months.
Necessary format for disclosure may be notified from time to time. (Para 2(f) above)
4 Regulation 4
Encryption Key Pair of CA to be made available to the Controller.
Regulation not required in accordance to conclusions against 1 & 2 above.
5 Regulation 5
Cross-Certification with foreign CAs.
As per recommendation 2(c) above.
6 Regulation 6
Terms and Conditions subject to which license shall be issued by the Controller to the prospective CAs.
Can be merged with regulation 11.
As per the recommendation mentioned in 2(c) above.
7 Regulation 7
Standards that may be considered for different activities associated with the CAs functions including standardization of contents of the Certificates to be issued by CAs and standardization of the Certificate Revocation List.
As per the recommendation 2(b) above.
8 Regulation 8
Information to be made publicly available by a CA on its website.
Notice of suspension or revocation of license.
CA must harness all form of networks and other practical media, and not only Internet, for disclosure to its subscriber and other interested parties.
9 Regulation 9
Standardisation of Certificate Practice Statement.
Agreed.
10 Regulation 10
Compromise of subscribers Digital Signature Key-Pair
Agreed.
11 Regulation 11
Description of classes of Certificates.
Shall be merged with regulation 6 above.
In addition to 3 classes of certificates as identified by international bodies, the regulation should be open to additional classes of certificates, if required.
12 Regulation 12
Cross-Certification of CAs.
It should be market-driven. (Recommendation 2(c) above).
13 Regulation 13
Incorporation of Controllers Public Key Certificate as the "root” in all web browsers in the country.
Regulation not required.
Need for integrating Controller's root key in
the browsers may not be feasible.
14 Regulation 14
Minimum key length for CAs and subscribers.
Agreed for the provision of 1024 bits for subscriber/end-user and 2048 bits for CAs key pair.
15 Regulation 15
Audit of applicants to include manpower audit as well.
Liability of CAs towards subscribers on account of their negligence.
Regulation not required.
Audit provision has already been covered
under Rule 31 of CA rules notified by MIT.
16 Regulation 16
Storage of Key-Pairs of CAs.
Distribution of Key-Pairs / Certificates of subscribers by CAs.
Not to be regulated.
Recommendation 2(e) above shall be followed.
17 Regulation 17
Documents to be submitted to the Controller along with the application for obtaining license to operate as CA.
Already covered under rule 10 of CA rules notified by MIT. Any additional information can be sought through the recourse of public notices from time to time.
18 Regulation 18
Upon acceptance of PKC by a subscriber, the PKC shall be published by the CA as required under the IT Act for access by the subscribers and relying parties.
The CA will ensure the transmission of PKC and CRLs to the National Repository to be maintained by the Controller.
Agreed.

Meeting ended with a vote of thanks to the Chair.


Annexure - A

First sitting of the second meeting of the “Cyber Regulation Advisory Committee” held on 17th March 2001 to consider adjourned agenda of the first meeting held on 6ft March 2001

List of Participants

  1. Sh Pramod Mahajan, Minister, Information Technology                  - Chairman
  2. Sh.S.C Jain , Secretary, Legislative Department
  3. Sh Vinay Kohli, Secretary, Ministry of Information Technology
  4. Sh. N. Parameswaran, DDG(LR), Department of Telecommunications
  5. Dr. Jaimini Bhagwati, Ministry of Finance
  6. Maj.Gen. M. G. Datar, Addl.D.G, IT, Army HQ, Ministry of Defence
  7. Sh Mukesh Mittal, Dy Secy, Ministry of Home Affairs
  8. Sh T A Khan, Sr. Dir, NIC, Ministry of Commerce
  9. Sh. K.R Ganapathy,CGM-IC,RBI

10. Sh.S.R-Mittal,Adviser,DIT, Reserve Bank of India

11. Sh Dewang Mehta, President, NASSCOM

12. Sh Amitabh Singhal, President, Internet Service Providers Association

13. Sh LN Behra, DIG, Director, Central Bureau of Investigation

14. Sh K N Gupta, Controller of Certifying Authority

15. Sh. Qamar Ahmed. Addl.C.P/Crime, DG Police by rotation from the States

16. Prof. R S Sirohi. I1T Delhi, Director, IIT Delhi

17. Sh.Sanjay Dhawan, ExecDirector,KPMG, Representing CII

18. Sh. M.A.J.Jeyaseelan, Secretary, FICCI

19. Sh. Subimal Bhattacharjee, Vice President ARGUS, Representing ASSOCHAM

20.  Sh A B Saha, Senior Director, Ministry of IT                        - Member Convener

 

First sitting of the second meeting of the “Cyber Regulation Advisory Committee” held on 18th March 2001 to consider adjourned agenda of the first meeting held on 6ft March 2001

List of Participants

  1. Sh Pramod Mahajan, Minister, Information Technology                  - Chairman
  2. Sh.N.L. Meenu, Jt. Secretary, Legislative Department
  3. Sh Vinay Kohli, Secretary, Ministry of Information Technology
  4. Sh. N. Parameswaran, DDG(LR), Department of Telecommunications
  5. Dr. Jaimoni Bhagwati, Ministry of Finance
  6. Maj.Gen. M G Datar, Ministry of Defence
  7. Sh Mukesh Mittal, Dy Secy, Ministry of Home Affairs
  8. Sh T A Khan, Sr. Dir, NIC, Ministry of Commerce
  9. Sh. K.R Ganapathy,CGM-IC,RBI

10.  Sh Dewang Mehta, President, NASSCOM

11.  Sh Amitabh Singhal, President, Internet Service Providers Association

12. Sh LN Behra, DIG, Director, Central Bureau of Investigation

13. Sh K N Gupta, Controller of Certifying Authority

14. Sh. Dinesh Bhatt, Dy. Police Commissioner, Delhi

15. Prof. R S Sirohi. I1T Delhi, Director, IIT Delhi

16. Sh.Sanjay Dhawan, ExecDirector,KPMG, Representing CII

17. Sh. M.A.J.Jeyaseelan, Secretary, FICCI

18. Sh. Subimal Bhattacharjee, Vice President ARGUS, Representing ASSOCHAM

19.  Sh A B Saha, Senior Director, Ministry of IT                        - Member Convener

Filed under: