--- abstract: | The Department of Electronics & Information Technology, Ministry of Communications & Information Technology responded to a right to information (RTI) application filed by Saket Bisani on behalf of the Centre for Internet & Society on July 13, 2012 through notification No. 14(110)/2012-ESD, dated October 3, 2010. author: - Pranesh Prakash authors: - Pranesh Prakash categories: - Internet governance citation: author: Pranesh Prakash available-date: date-parts: - - 2013 - 1 - 9 iso-8601: 2013-01-09 literal: 2013-01-09 raw: 2013-01-09 citation-key: prakash2013response container-title: Centre for Internet and Society id: prakash2013response issued: date-parts: - - 2013 - 1 - 9 iso-8601: 2013-1-9 title: Response to RTI on Decisions of the Cyber Regulation Advisory Committee type: webpage URL: "https://cis-india.org/internet-governance/resources/deity-response-to-rti-on-decisions-of-crac" comments: hypothesis: theme: clean date: 2013-01-09 engines: - path: /opt/quarto/share/extension-subtrees/julia-engine/\_extensions/julia-engine/julia-engine.js keywords: - Internet governance license: text: CC BY 4.0 type: creative-commons url: "https://creativecommons.org/licenses/by/4.0/" listing-page: ../../policy original-url: "https://cis-india.org/internet-governance/resources/deity-response-to-rti-on-decisions-of-crac" publication: Centre for Internet and Society title: Response to RTI on Decisions of the Cyber Regulation Advisory Committee title-block-categories: true toc-title: Table of contents --- **No. 14(110)/2012-ESD** M/o Communiciations & Information Technology Department of Electronics & Information Technology Electronics Niketan, 6, CGO Complex New Delhi-110003 **Dated:3.10.2012** **Subject: RTI application received from Shri Saket Biswani** With reference to your RTI application dated 13.7.12 requesting for the following information. Question a\) Please provide me a list of the dates of each meeting of the CRAC held from October 18, 2000 till July 13, 2012? b\) Please provide me copies of the minutes of every meeting held by the Cyber Regulation Advisory Committee from October 18, 2000 till July 13, 2012. c\) Provide me the list of all policy decisions that the CRAC has advised the Central Government on under section 88(3) (a) of the Information Technology. d\) Provide me a list of all policy decisions that the CRAC has advised the Central Government on under section 88(3)(a) of the Information Technology Act, 2000. The information as received from the custodian of the information is placed below: Answer a\) The meetings of CRAC were held on 6^th^ March, 2001 and 17-18 March, 2001. b\) Minutes of these two meetings of CRAC are attached. c\) No such advice was given by CRAC to DeitY under section 88(3)(a). d\) Information is attached. (A.K. Kaushik) Additional Director & CPIO (E-Security & Cyber Laws) To: Shri Saket Bisani No. 194, 2^nd^ \'C\' Cross, Domlur 2^nd^ Stage Bangalore-560 071 **Minutes of the First Meeting of the Cyber Regulation Advisory Committee (CRAC) held on March 6, 2001, at Electronics Niketan,** **under** **the Chairmanship of Hon'ble Minister\* (IT) Shri Pramod Mahajan.** (*List of Participants enclosed as Annexure-A*) 1. The chairman welcomed the participants to the First Meeting of the Committee. In his opening remarks he hoped that the Committee would play a constructive role in the implementation of the Information Technology Act. 2. While introducing the Agenda (circulated ahead of the meeting), Controller of Certifying Authorities (CCA) made a short presentation on proposed \"Regulation.; under section 89 of the IT Act\" consisting of 18 proposed Regulations, Smart Card as token carrying Keys, and various suggested Amendments to the IT ACT 2000. 3. During the ensuing discussions, participants sought some time to study and collate associated inputs from their respective colleagues/specialists before offering any concrete suggestions/recommendations. Chairman agreed to the suggestions and postponed the meeting to 11:00 AM on the March 17, 2001 at the same venue. Based on the recommendation of Secretary (IT), members were requested to forward their inputs, if any, through e-mail within a weeks time to the following: ------------------------------------------------------------------- --------------------------------------------------------------- For Regulations wider section 89 of IT Act For amendments to IT Act 2000 Shri K.N. Gupta (CCA)\ Shri A.B. Saha (Member Secretary)\ Room No. 4006,\ Room No. 2055,\ Electronics Niketan\ Electronics Niketan\ 6 CGO Complex\ 6 CGO Complex\ New Delhi 110003\ New Delhi 110003\ e-mail:[kgupta@mit.gov.in](mailto:kgupta@mit.gov.in){.mail-link}\ e-mail:[saha@mit.gov.in](mailto:saha@mit.gov.in){.mail-link}\ Tele: 436 3073\ Tele: 436 0958\ Fax: 439 5982\ Fax: 436 2924 \ ------------------------------------------------------------------- --------------------------------------------------------------- Meeting ended with a vote of thanks to the Chair. **Minutes of the Second Meeting of the Cyber Regulation Advisory Committee (CRAC) held on 17-18 March, 2001 at Electronics Niketan, New Delhi under the Chairmanship of Hon\'ble Minister (IT), Shri Pramod Mahajan.** (*List of Participants enclosed as Annexure-A*) 1. The chairman welcomed the participants to the second meeting of the Committee to consider further the draft regulations proposed by the Controller of Certifying Authority (CCA).        \'    \" \~ 2. During the ensuing discussions, following general recommendations/decisions were arrived at governing the overall formulation of the regulations that are necessary to bring about infrastructure facilitating activities envisaged under the IT Act 2000: a)  Any regulation to be framed by the Controller draws its authority only from Section 89(2) of the Act. Moreover,    such regulations should complement the Rules already framed under the Section 87 of the Act. b\) To keep pace with the changing technology and standards, CCA may publicly notify/modify necessary specifications of technology, standards and procedures at regular interval (say, January of every year). Moreover, to adhere to the \"principles of minimal governance\", if any particular necessity emerges for inclusion of newer manifestations of any existing standard/technology/procedure, Controller should respond within ninety (90) days after receiving any specific request in writing, failing which it will deemed to have obtained his concurrence. c\) The commercial practices/interests may form the essential pedestal for the certification process. Aspects of cross-certification may preferably be left to the purview of the concerned market forces. However, the necessary interoperability will essentially be \"market-driven\" and not \"authority-driven\". This will also ensure that formulated rules and regulations stay in tune with market realities. d\) Strict adherence to open standards should be ensured to avoid emergence of monopoly of any kind. e\) Considering cost sensitiveness of the requisite digital signature certificate, families of technologies varying in convenience, reliability, availability, robustness, etc. may be allowed to inter-operate. However, CCA may undertake public awareness campaign to promote desirable best practices from time to time. f)  The minimal regulations facilitating activities envisaged in the Act is desirable. Some of the proposed provisions can also be ensured in the form of \"terms & conditions\" governing the operations of Certifying Authorities. g)   Emergence of guidelines governing smooth functioning may be better left to publications brought out by industry associations, public-minded professionals etc. Formulating rules and regulations in these regards should be minimal. 3\. After framing the draft compilation of the requisite regulations in accordance with the conventional legal form in terms of content as well as structure with the assistance of the Ministry of Law, the regulations may be brought to the Ministry of Information Technology for approval. 4 The Committee considered the 18 regulations proposed in Agenda Item No.1 and the statement reproduced below contains the decision taken against each proposal. ----------------------- ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ------------------------------------------------------------------------------------------------------------------------------------------------------------------- SI Item Conclusions 1 Regulation 1\ Regulation not required.\ Standardising on two key-pairs for PKI in the country.\ Encryption Key pair not part of the IT Act.\ Key-pair generation for subscribers by CAs. Already covered under Rule 3, 4 & 5 of notified CA Rules.\ Subscriber should be at liberty to bring his key pair that CA may verify before acceptance. (Section 40 of the Act) 2 Regulation 2\ Regulation not required.\ Encryption key-pair of subscribers to be maintained by CAs in a database and made available to enforcement and law agencies under directions of the Controller. IT Act is silent regarding encryption.\ 3 Regulation 3\ Disclosure may be done every six months.\ Disclosure Record of CA. Necessary format for disclosure may be notified from time to time. (Para 2(f) above) 4 Regulation 4\ Regulation not required in accordance to conclusions against 1 & 2 above. Encryption Key Pair of CA to be made available to the Controller. 5 Regulation 5\ As per recommendation 2(c) above. Cross-Certification with foreign CAs. 6 Regulation 6\ Can be merged with regulation 11.\ Terms and Conditions subject to which license shall be issued by the Controller to the prospective CAs. As per the recommendation mentioned in 2(c) above. 7 Regulation 7\ As per the recommendation 2(b) above. Standards that may be considered for different activities associated with the CAs functions including standardization of contents of the Certificates to be issued by CAs and standardization of the Certificate Revocation List. 8 Regulation 8\ CA must harness all form of networks and other practical media, and not only Internet, for disclosure to its subscriber and other interested parties. Information to be made publicly available by a CA on its website.\ Notice of suspension or revocation of license. 9 Regulation 9\ Agreed. Standardisation of Certificate Practice Statement. 10 Regulation 10\ Agreed. Compromise of subscribers Digital Signature Key-Pair 11 Regulation 11\ Shall be merged with regulation 6 above.\ Description of classes of Certificates. In addition to 3 classes of certificates as identified by international bodies, the regulation should be open to additional classes of certificates, if required. 12 Regulation 12\ It should be market-driven. (Recommendation 2(c) above). Cross-Certification of CAs. 13 Regulation 13\ Regulation not required.\ Incorporation of Controllers Public Key Certificate as the \"root" in all web browsers in the country. Need for integrating Controller\'s root key in\ the browsers may not be feasible. 14 Regulation 14\ Agreed for the provision of 1024 bits for subscriber/end-user and 2048 bits for CAs key pair. Minimum key length for CAs and subscribers. 15 Regulation 15\ Regulation not required.\ Audit of applicants to include manpower audit as well.\ Audit provision has already been covered\ Liability of CAs towards subscribers on account of their negligence. under Rule 31 of CA rules notified by MIT. 16 Regulation 16\ Not to be regulated.\ Storage of Key-Pairs of CAs.\ Recommendation 2(e) above shall be followed. Distribution of Key-Pairs / Certificates of subscribers by CAs. 17 Regulation 17\ Already covered under rule 10 of CA rules notified by MIT. Any additional information can be sought through the recourse of public notices from time to time. Documents to be submitted to the Controller along with the application for obtaining license to operate as CA. 18 Regulation 18\ Agreed. Upon acceptance of PKC by a subscriber, the PKC shall be published by the CA as required under the IT Act for access by the subscribers and relying parties.\ The CA will ensure the transmission of PKC and CRLs to the National Repository to be maintained by the Controller. ----------------------- ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ------------------------------------------------------------------------------------------------------------------------------------------------------------------- Meeting ended with a vote of thanks to the Chair. [Annexure - A]{style="text-decoration:underline"} First sitting of the second meeting of the "Cyber Regulation Advisory Committee" held on 17th March 2001 to consider adjourned agenda of the first meeting held on 6ft March 2001 *[List of Participants]{style="text-decoration:underline"}* 1. Sh Pramod Mahajan, Minister, Information Technology                  - Chairman 2. Sh.S.C Jain , Secretary, Legislative Department 3. Sh Vinay Kohli, Secretary, Ministry of Information Technology 4. Sh. N. Parameswaran, DDG(LR), Department of Telecommunications 5. Dr. Jaimini Bhagwati, Ministry of Finance 6. Maj.Gen. M. G. Datar, Addl.D.G, IT, Army HQ, Ministry of Defence 7. Sh Mukesh Mittal, Dy Secy, Ministry of Home Affairs 8. Sh T A Khan, Sr. Dir, NIC, Ministry of Commerce 9. Sh. K.R Ganapathy,CGM-IC,RBI 10\. Sh.S.R-Mittal,Adviser,DIT, Reserve Bank of India 11\. Sh Dewang Mehta, President, NASSCOM 12\. Sh Amitabh Singhal, President, Internet Service Providers Association 13\. Sh LN Behra, DIG, Director, Central Bureau of Investigation 14\. Sh K N Gupta, Controller of Certifying Authority 15\. Sh. Qamar Ahmed. Addl.C.P/Crime, DG Police by rotation from the States 16\. Prof. R S Sirohi. I1T Delhi, Director, IIT Delhi 17\. Sh.Sanjay Dhawan, ExecDirector,KPMG, Representing CII 18\. Sh. M.A.J.Jeyaseelan, Secretary, FICCI 19\. Sh. Subimal Bhattacharjee, Vice President ARGUS, Representing ASSOCHAM 20.  Sh A B Saha, Senior Director, Ministry of IT                        - Member Convener First sitting of the second meeting of the "Cyber Regulation Advisory Committee" held on 18th March 2001 to consider adjourned agenda of the first meeting held on 6ft March 2001 *[List of Participants]{style="text-decoration:underline"}* 1. Sh Pramod Mahajan, Minister, Information Technology                  - Chairman 2. Sh.N.L. Meenu, Jt. Secretary, Legislative Department 3. Sh Vinay Kohli, Secretary, Ministry of Information Technology 4. Sh. N. Parameswaran, DDG(LR), Department of Telecommunications 5. Dr. Jaimoni Bhagwati, Ministry of Finance 6. Maj.Gen. M G Datar, Ministry of Defence 7. Sh Mukesh Mittal, Dy Secy, Ministry of Home Affairs 8. Sh T A Khan, Sr. Dir, NIC, Ministry of Commerce 9. Sh. K.R Ganapathy,CGM-IC,RBI 10.  Sh Dewang Mehta, President, NASSCOM 11.  Sh Amitabh Singhal, President, Internet Service Providers Association 12\. Sh LN Behra, DIG, Director, Central Bureau of Investigation 13\. Sh K N Gupta, Controller of Certifying Authority 14\. Sh. Dinesh Bhatt, Dy. Police Commissioner, Delhi 15\. Prof. R S Sirohi. I1T Delhi, Director, IIT Delhi 16\. Sh.Sanjay Dhawan, ExecDirector,KPMG, Representing CII 17\. Sh. M.A.J.Jeyaseelan, Secretary, FICCI 18\. Sh. Subimal Bhattacharjee, Vice President ARGUS, Representing ASSOCHAM 19.  Sh A B Saha, Senior Director, Ministry of IT                        - Member Convener