National Certification Authority Task Force
With the rapid deployment of digital services and expansion of e-Government initiatives to deliver citizen services in the country, electronic transactions in Sri Lanka will grow substantially in the near future. This increases the probability of identity theft, financial fraud and other security breaches. Therefore, the requirement to authenticate citizens as well as organisations involved in digital transactions becomes pivotal.
To address this requirement, it is essential for a country to establish a national framework which defines legal, administrative and technical regulations for granting, managing and enforcing the use of digital certificates to establish the identities of citizens and organisations in the digital space to minimise fraud.
The Electronic Transactions Act No, 19 of 2006, amended by Act No. 25 of 2017, provides the legal basis for a national framework, with legal recognition for electronic signatures, including digital certificates. From a legal perspective, digital certificates have ensured that there is a mechanism to reliably and securely prove the origin, receipt and integrity of information and also to identify the parties involved in a digital transaction. The use of digital certificates also enables users to achieve transaction confidentiality and integrity using the public key cryptosystem and the hash function. The issue of digital certificates is done by certified third-party certificate service providers (CSPs).
The National Certification Authority (NCA) is the overall governance as well as the standard setting entity required for the smooth and effective functioning of Certification Service Providers (CSPs). Chapter IV of the Electronic Transactions Act No. 19 of 2006 grants authority for a recognised body to perform the function of the NCA and to establish an NCA task force to manage and administer the Certification Authority, having regard to the qualifications and experience as well as the need to represent relevant stakeholders, with the objective of ensuring its proper administration.
The NCA Task Force was first established in 2011 jointly by ICT Agency of Sri Lanka (ICTA) and Central Bank of Sri Lanka (CBSL), with ICTA’s Legal Advisor Jayantha Fernando CBSL Asst. Governor Janakie Mampitiya as Co-Chairs. The ICTA was designated to perform NCA functions on 24 September 2013 by Gazette Extraordinary 2147/58 made under Section 18 of the Electronic Transactions Act, while NCA operational functions were performed by Sri Lanka CERT. Part of the equipment for this purpose was also procured by ICTA under the “e-Sri Lanka Development Program”.
The Electronic Transactions (Amendment) Act No. 25 of 2017 further modernised Sri Lanka’s legal digital transactions framework by giving effect to Sri Lanka’s ratification of the UN Electronic Communications Convention. Further, this Amendment broadened the scope of application of electronic signatures, provided for licensing and authorising of CSPs while separating the NCA Task Force with the operations of NCA.
Pursuant to Gazette Extraordinary, 2147/58, dated 30 October 2019, Sri Lanka CERT was designated as the Certification Authority under Section 18 of the above Act to perform the functions of the NCA.
The key ceremony, a formal function to generate the Root certificate of the NCA, was held on 14 February and was carried out by the staff of Sri Lanka CERT. This was a major milestone in the annals of digital transactions in Sri Lanka. The Root Certificate facilitates secure digital transactions not only within Sri Lanka but also internationally with other countries. In order to enhance the operations of NCA as well as to ensure that digital certificates issued by the Sri Lankan NCA are recognised internationally, including web browser vendors (Browser forum), the objective of the NCA is to be “WebTrust standard” certified. Thus, Sri Lanka would become the first country in South Asia to adopt an international standard in this domain.
The simple but formal key generation ceremony was inaugurated by National Certification Authority (NCA) Task Force Co-Chair Jayantha Fernando. Fernando is Board Director of Sri Lanka CERT and Legal Advisor, ICTA. A detailed presentation on the operations NCA and the key generation ceremony was given by Sri Lanka CERT Operations Director Rohana Palliyaguru. This was followed by the key generation ceremony which was carried out step by step by the staff of Sri Lanka CERT, in the presence of WebTrust Auditors.
The ceremony was attended by the Task Force Co-Chair and CBSL Asst. Governor R. A. A. Jayalath, and Task Force Members, CEB DGM Rohan Seneviratne, Ministry of Defence Additional Secretary (Digital Infrastructure & Information Technology) Waruna Sri Dhanapala, Lanka Clear CEO Channa De Silva, Ministry of Defence Additional Secretary (Technical) S.G.A.R.K.R. Seneviratne and Sri Lanka CERT CEO Lal Dias. In addition, a number of other dignitaries including SLT Chairman Rohan Fernando, TRCSL DG Oshada Senanayake, and ICTA CEO Mahinda Herath attended this formal ceremony.