Govt suspends 3 digital certificates by NIC to prevent misuse

The Controller of Certifying Authorities suspended three digital certificates issued by the National Informatics Centre Certifying Authority (NIC-CA) to prevent their misuse, Parliament was informed today.
Digital Signature Certificates (DSCs) are issued by Certifying Authorities for electronic authentication of users, Communication and IT Minister Ravi Shankar Prasad told Lok Sabha.
The Controller of Certifying Authorities, which is appointed under the Information Technology Act, 2000, licences Certifying Authorities to issue Digital Signature Certificates.
Digital Signature Certificates are issued under Sub Section 4 of Section 35 of the IT Act and they facilitate e-commerce and e-filing of documents through authentication of users and their transactions, he added.

"Three certificates issued to NIC-CA were suspended by CCA (Controller of Certifying Authorities. The unauthorised certificates that had been issued, were revoked by the NIC-CA. This was done to prevent misuse," Prasad said.
The incident has been investigated and the findings suggest that the perpetrators made an electronic intrusion in to the CA systems from outside India, he added.

"NIC-CA has been asked to revamp their infrastructure from all aspects -- technical, physical and procedural," Prasad said.
Besides, an advisory has been issued to all Certifying Authorities to examine and wherever necessary, strengthen security controls in the infrastructure used for Digital Signature Certificates issuance, the Minister added.

Last month, Google and Microsoft had complained about the unauthorised Digital Signature Certificates issued by NIC-CA.
Google in a blog post had said: "On Wednesday, July 2, we became aware of unauthorised digital certificates for several Google domains.
"The certificates were issued by NIC of India, which holds several intermediate CA certificates trusted by the Indian Controller of Certifying Authorities (India CCA)."
Similarly, Microsoft said it is aware of improperly issued SSL certificates that could be used in attempts to spoof content or perform phishing attacks.
"SSL certificates were improperly issued by NIC, which operates subordinate CAs under root CAs operated by Government of India's Controller of Certifying Authorities, which are CAs present in the Trusted Root Certification Authorities Store," it added.