Response to RTI on Decisions of the Cyber Regulation Advisory Committee
The Department of Electronics & Information Technology, Ministry of Communications & Information Technology responded to a right to information (RTI) application filed by Saket Bisani on behalf of the Centre for Internet & Society on July 13, 2012 through notification No. 14(110)/2012-ESD, dated October 3, 2010.
No. 14(110)/2012-ESD
M/o Communiciations & Information Technology
Department of Electronics & Information Technology
Electronics Niketan, 6, CGO Complex
New Delhi-110003
Dated:3.10.2012
Subject: RTI application received from Shri Saket Biswani
With reference to your RTI application dated 13.7.12 requesting for the following information.
Question
a) Please provide me a list of the dates of each meeting of the CRAC held from October 18, 2000 till July 13, 2012?
b) Please provide me copies of the minutes of every meeting held by the Cyber Regulation Advisory Committee from October 18, 2000 till July 13, 2012.
c) Provide me the list of all policy decisions that the CRAC has advised the Central Government on under section 88(3) (a) of the Information Technology.
d) Provide me a list of all policy decisions that the CRAC has advised the Central Government on under section 88(3)(a) of the Information Technology Act, 2000.
The information as received from the custodian of the information is placed below:
Answer
a) The meetings of CRAC were held on 6th March, 2001 and 17-18 March, 2001.
b) Minutes of these two meetings of CRAC are attached.
c) No such advice was given by CRAC to DeitY under section 88(3)(a).
d) Information is attached.
(A.K. Kaushik)
Additional Director & CPIO
(E-Security & Cyber Laws)
To: Shri Saket Bisani
No. 194, 2nd 'C' Cross,
Domlur 2nd Stage
Bangalore-560 071
Minutes of the First Meeting of the Cyber Regulation Advisory Committee (CRAC) held on March 6, 2001, at Electronics Niketan, under the Chairmanship of Hon’ble Minister* (IT) Shri Pramod Mahajan.
(List of Participants enclosed as Annexure-A)
- The chairman welcomed the participants to the First Meeting of the Committee. In his opening remarks he hoped that the Committee would play a constructive role in the implementation of the Information Technology Act.
- While introducing the Agenda (circulated ahead of the meeting), Controller of Certifying Authorities (CCA) made a short presentation on proposed "Regulation.; under section 89 of the IT Act" consisting of 18 proposed Regulations, Smart Card as token carrying Keys, and various suggested Amendments to the IT ACT 2000.
- During the ensuing discussions, participants sought some time to study and collate associated inputs from their respective colleagues/specialists before offering any concrete suggestions/recommendations. Chairman agreed to the suggestions and postponed the meeting to 11:00 AM on the March 17, 2001 at the same venue. Based on the recommendation of Secretary (IT), members were requested to forward their inputs, if any, through e-mail within a weeks time to the following:
For Regulations wider section 89 of IT Act | For amendments to IT Act 2000 |
Shri K.N. Gupta (CCA) Room No. 4006, Electronics Niketan 6 CGO Complex New Delhi 110003 e-mail:[email protected] Tele: 436 3073 Fax: 439 5982 |
Shri A.B. Saha (Member Secretary) Room No. 2055, Electronics Niketan 6 CGO Complex New Delhi 110003 e-mail:[email protected] Tele: 436 0958 Fax: 436 2924 |
Meeting ended with a vote of thanks to the Chair.
Minutes of the Second Meeting of the Cyber Regulation Advisory Committee (CRAC) held on 17-18 March, 2001 at Electronics Niketan, New Delhi under the Chairmanship of Hon'ble Minister (IT), Shri Pramod Mahajan.
(List of Participants enclosed as Annexure-A)
- The chairman welcomed the participants to the second meeting of the Committee to consider further the draft regulations proposed by the Controller of Certifying Authority (CCA). ' " ~
- During the ensuing discussions, following general recommendations/decisions were arrived at governing the overall formulation of the regulations that are necessary to bring about infrastructure facilitating activities envisaged under the IT Act 2000:
a) Any regulation to be framed by the Controller draws its authority only from Section 89(2) of the Act. Moreover, such regulations should complement the Rules already framed under the Section 87 of the Act.
b) To keep pace with the changing technology and standards, CCA may publicly notify/modify necessary specifications of technology, standards and procedures at regular interval (say, January of every year). Moreover, to adhere to the "principles of minimal governance", if any particular necessity emerges for inclusion of newer manifestations of any existing standard/technology/procedure, Controller should respond within ninety (90) days after receiving any specific request in writing, failing which it will deemed to have obtained his concurrence.
c) The commercial practices/interests may form the essential pedestal for the certification process. Aspects of cross-certification may preferably be left to the purview of the concerned market forces. However, the necessary interoperability will essentially be "market-driven" and not "authority-driven". This will also ensure that formulated rules and regulations stay in tune with market realities.
d) Strict adherence to open standards should be ensured to avoid emergence of monopoly of any kind.
e) Considering cost sensitiveness of the requisite digital signature certificate, families of technologies varying in convenience, reliability, availability, robustness, etc. may be allowed to inter-operate. However, CCA may undertake public awareness campaign to promote desirable best practices from time to time.
f) The minimal regulations facilitating activities envisaged in the Act is desirable. Some of the proposed provisions can also be ensured in the form of "terms & conditions" governing the operations of Certifying Authorities.
g) Emergence of guidelines governing smooth functioning may be better left to publications brought out by industry associations, public-minded professionals etc. Formulating rules and regulations in these regards should be minimal.
3. After framing the draft compilation of the requisite regulations in accordance with the conventional legal form in terms of content as well as structure with the assistance of the Ministry of Law, the regulations may be brought to the Ministry of Information Technology for approval.
4 The Committee considered the 18 regulations proposed in Agenda Item No.1 and the statement reproduced below contains the decision taken against each proposal.
SI | Item | Conclusions |
---|---|---|
1 | Regulation 1 Standardising on two key-pairs for PKI in the country. Key-pair generation for subscribers by CAs. |
Regulation not required. Encryption Key pair not part of the IT Act. Already covered under Rule 3, 4 & 5 of notified CA Rules. Subscriber should be at liberty to bring his key pair that CA may verify before acceptance. (Section 40 of the Act) |
2 | Regulation 2 Encryption key-pair of subscribers to be maintained by CAs in a database and made available to enforcement and law agencies under directions of the Controller. |
Regulation not required. IT Act is silent regarding encryption. |
3 | Regulation 3 Disclosure Record of CA. |
Disclosure may be done every six months. Necessary format for disclosure may be notified from time to time. (Para 2(f) above) |
4 | Regulation 4 Encryption Key Pair of CA to be made available to the Controller. |
Regulation not required in accordance to conclusions against 1 & 2 above. |
5 | Regulation 5 Cross-Certification with foreign CAs. |
As per recommendation 2(c) above. |
6 | Regulation 6 Terms and Conditions subject to which license shall be issued by the Controller to the prospective CAs. |
Can be merged with regulation 11. As per the recommendation mentioned in 2(c) above. |
7 | Regulation 7 Standards that may be considered for different activities associated with the CAs functions including standardization of contents of the Certificates to be issued by CAs and standardization of the Certificate Revocation List. |
As per the recommendation 2(b) above. |
8 | Regulation 8 Information to be made publicly available by a CA on its website. Notice of suspension or revocation of license. |
CA must harness all form of networks and other practical media, and not only Internet, for disclosure to its subscriber and other interested parties. |
9 | Regulation 9 Standardisation of Certificate Practice Statement. |
Agreed. |
10 | Regulation 10 Compromise of subscribers Digital Signature Key-Pair |
Agreed. |
11 | Regulation 11 Description of classes of Certificates. |
Shall be merged with regulation 6 above. In addition to 3 classes of certificates as identified by international bodies, the regulation should be open to additional classes of certificates, if required. |
12 | Regulation 12 Cross-Certification of CAs. |
It should be market-driven. (Recommendation 2(c) above). |
13 | Regulation 13 Incorporation of Controllers Public Key Certificate as the "root” in all web browsers in the country. |
Regulation not required. Need for integrating Controller's root key in the browsers may not be feasible. |
14 | Regulation 14 Minimum key length for CAs and subscribers. |
Agreed for the provision of 1024 bits for subscriber/end-user and 2048 bits for CAs key pair. |
15 | Regulation 15 Audit of applicants to include manpower audit as well. Liability of CAs towards subscribers on account of their negligence. |
Regulation not required. Audit provision has already been covered under Rule 31 of CA rules notified by MIT. |
16 | Regulation 16 Storage of Key-Pairs of CAs. Distribution of Key-Pairs / Certificates of subscribers by CAs. |
Not to be regulated. Recommendation 2(e) above shall be followed. |
17 | Regulation 17 Documents to be submitted to the Controller along with the application for obtaining license to operate as CA. |
Already covered under rule 10 of CA rules notified by MIT. Any additional information can be sought through the recourse of public notices from time to time. |
18 | Regulation 18 Upon acceptance of PKC by a subscriber, the PKC shall be published by the CA as required under the IT Act for access by the subscribers and relying parties. The CA will ensure the transmission of PKC and CRLs to the National Repository to be maintained by the Controller. |
Agreed. |
Meeting ended with a vote of thanks to the Chair.
Annexure - A
First sitting of the second meeting of the “Cyber Regulation Advisory Committee” held on 17th March 2001 to consider adjourned agenda of the first meeting held on 6ft March 2001
List of Participants
- Sh Pramod Mahajan, Minister, Information Technology - Chairman
- Sh.S.C Jain , Secretary, Legislative Department
- Sh Vinay Kohli, Secretary, Ministry of Information Technology
- Sh. N. Parameswaran, DDG(LR), Department of Telecommunications
- Dr. Jaimini Bhagwati, Ministry of Finance
- Maj.Gen. M. G. Datar, Addl.D.G, IT, Army HQ, Ministry of Defence
- Sh Mukesh Mittal, Dy Secy, Ministry of Home Affairs
- Sh T A Khan, Sr. Dir, NIC, Ministry of Commerce
- Sh. K.R Ganapathy,CGM-IC,RBI
10. Sh.S.R-Mittal,Adviser,DIT, Reserve Bank of India
11. Sh Dewang Mehta, President, NASSCOM
12. Sh Amitabh Singhal, President, Internet Service Providers Association
13. Sh LN Behra, DIG, Director, Central Bureau of Investigation
14. Sh K N Gupta, Controller of Certifying Authority
15. Sh. Qamar Ahmed. Addl.C.P/Crime, DG Police by rotation from the States
16. Prof. R S Sirohi. I1T Delhi, Director, IIT Delhi
17. Sh.Sanjay Dhawan, ExecDirector,KPMG, Representing CII
18. Sh. M.A.J.Jeyaseelan, Secretary, FICCI
19. Sh. Subimal Bhattacharjee, Vice President ARGUS, Representing ASSOCHAM
20. Sh A B Saha, Senior Director, Ministry of IT - Member Convener
First sitting of the second meeting of the “Cyber Regulation Advisory Committee” held on 18th March 2001 to consider adjourned agenda of the first meeting held on 6ft March 2001
List of Participants
- Sh Pramod Mahajan, Minister, Information Technology - Chairman
- Sh.N.L. Meenu, Jt. Secretary, Legislative Department
- Sh Vinay Kohli, Secretary, Ministry of Information Technology
- Sh. N. Parameswaran, DDG(LR), Department of Telecommunications
- Dr. Jaimoni Bhagwati, Ministry of Finance
- Maj.Gen. M G Datar, Ministry of Defence
- Sh Mukesh Mittal, Dy Secy, Ministry of Home Affairs
- Sh T A Khan, Sr. Dir, NIC, Ministry of Commerce
- Sh. K.R Ganapathy,CGM-IC,RBI
10. Sh Dewang Mehta, President, NASSCOM
11. Sh Amitabh Singhal, President, Internet Service Providers Association
12. Sh LN Behra, DIG, Director, Central Bureau of Investigation
13. Sh K N Gupta, Controller of Certifying Authority
14. Sh. Dinesh Bhatt, Dy. Police Commissioner, Delhi
15. Prof. R S Sirohi. I1T Delhi, Director, IIT Delhi
16. Sh.Sanjay Dhawan, ExecDirector,KPMG, Representing CII
17. Sh. M.A.J.Jeyaseelan, Secretary, FICCI
18. Sh. Subimal Bhattacharjee, Vice President ARGUS, Representing ASSOCHAM
19. Sh A B Saha, Senior Director, Ministry of IT - Member Convener