Digital signatures in India
Electronic documents need to be signed to assure recipients
of their authenticity, and digital signatures fulfil this need. Dominic K
reports
Digital
signatures have been in use for quite a while to authenticate various e-commerce
and m-commerce transactions. Today, the processes of creating and verifying
a digital signature provide a high level of assurance to the involved parties
that the e-signature is genuinely the signer’s, and that the electronic
document (or the e-contract) is authentic.
As is the case with Electronic Data Interchange (EDI), the
process of creating and verifying digital signatures can be completely automated
with minimal human interaction. Compared to the tedious and labour-intensive
paper methods such as checking specimen signature cards, digital signatures
yield a high degree of assurance without adding greatly to the resources required
for processing documents.
Ketan Parekh
|
As a strong believer in the concept, Ketan Parekh, the Chief
Technology Officer of Sharekhan says, “Our organisation uses digital signature
for applications related to the authorisation of online fund transfers with
certain banks. This has helped us authenticate the documentation process that
we follow.”
Yet another CIO, Ashok Adhikari, Associate Director of Systems
at Aker Kvaerner, is of the opinion that digital signatures bring significant
value to his organisation. “The applications are limited to engineering
drawings and for e-procurement. Although the use of digital signatures is currently
limited to certain applications, we are testing the same and plan to deploy
it in a phased manner since I feel that it will facilitate our business processes
across the globe.”
A digital foundation of trust
Digital signatures are nothing but a cryptographic (encrypted) signature assurance
scheme that lets both parties (sender and receiver) trust an electronic document
and treat it as valid and tamper-proof as long as the said document stays in
an electronic format.
To get technical, according to ISO/IEC 7498-2, a digital signature is defined
as “data appended to, or a cryptographic transformation of a data unit,
that allows the recipient of a data unit to prove the source and integrity of
the data unit and protect against forgery.”
For individuals
A digital signature involves two components—the public key and the private
key. The sender signs a document using his private key that ensures the document’s
safety in transit as the text is encrypted and only the sender has access to
his private key. Therefore, by signing a document with it, he authenticates
that it has originated with him and not been tampered with en route. The recipient
of this document uses the sender’s public key to authenticate the encrypted
document and to decrypt it into a readable text format.
There are several ways to authenticate a person or the information
on a computer. Some of them are password, checksum, CRC (cyclic redundancy check),
private key encryption, public key encryption and digital certificate.
Digital certificates for machines
It’s not just individuals who need to be authenticated. Servers need to
prove their credentials too. That’s where a digital certificate comes into
the picture, ensuring that the information sent to and received from a Web server
is authentic, and that the Web server in question can be trusted. It can be
trusted since it is verified by an independent source known as a certificate
authority. The role of the certificate authority is to ensure that the system
on either side can be trusted.
A Certification Authority (CA) issues certificates and stands responsible for
them. The CA signs these certificates. This enables users to know which CA created
each certificate. The signature also ensures that a third party has not altered
or corrupted the certificate at any point of time.
In India, the Indian IT Act authorises the Controller of
Certifying Authorities (CCA) to licence and regulate the working of CAs, who,
in turn, issue digital signature certificates for electronic authentication
of users.
At present, the organisations acting as licenced CAs are the National Informatics
Centre, Customs and Central Excise, Institute for Development & Research
in Banking Technology, SafeScrypt, Tata Consultancy Services, MTNL and (n)Code
Solutions.
It is the responsibility of the CCA to certify the public keys of CAs using
its own private key. This enables users in cyberspace to verify that a given
certificate is issued by a licenced CA. The Root Certifying Authority of India
(RCAI) is the CCA for India. The CCA maintains the National Repository of Digital
Certificates (NRDC). This repository contains all the certificates issued by
all the CAs in the country.
Classes of digital signatures
These are categorised into three classes. Class one defines the certificates
that do not hold any legal validity as the validation process is based only
on a valid e-mail ID and involves no direct verification.
The class two category states that a person’s identity is to be verified
against a trusted, pre-verified database. Class three requires the person present
himself or herself in front of a Registration Authority (RA) and prove his/her
identity.
The digital certificate usually contains data such as the owner’s name,
company and address, as well as the owner’s public key, along with the
certificate’s serial number and validity period. The certificate also includes
the certifying company’s ID and its digital signature.
The credit investigation, loan processing, underwriting and document preparation
steps can also be done electronically. The borrowers can sign all the loan papers,
and the mortgage or trust deed can be notarised over the Internet. Funds can
be wire-transferred along with electronic authorisation.
IT Act 2000
The Indian Information Technology Act 2000 (‘Act’)
came into effect from October 17, 2000. The Act is by and large based on the
United Nations Commission on International Trade Law (UNCITRAL) model law on
electronic commerce.
The objective of the Act is to provide for legal recognition
of electronic transactions and digital signatures. Section 5 of the Act gives
legal recognition to digital signatures. Digital signatures have been legalised
in India since 2000. However, since then, hardly any provisions of the Act have
been implemented, except for the appointment of the Certifying Authority which
took place in 2001.
A long way to go
Although they facilitate many of the desired attributes of electronic commerce—such
as speed of transactions and reduced paper-work—digital signatures are
still not a widely-accepted concept in India. Because of the technicalities
involved this is very much the norm, except in certain cases where the use of
digital signatures has been mandated by law, such as filings with the Ministry
of Company Affairs.
Though the concept of digital signatures is a powerful tool,
it has been difficult to move the concept from theory to reality because of
multiple reasons. Some of the reasons include cultural reticence, unequal access
to technology, and the lack of an adequate legal and service infrastructure
to support such a major shift. In India, paper-based documents continue to be
seen as more trustworthy than electronic ones largely because they are tangible
and people are used to them.
Bijesh
Thakker
|
As Bijesh Thakker, Managing Partner, Thakker & Thakker
states, “There are many provisions under the Act, which, although much
required, have till date not been implemented. Although statutory recognition
is attached to the digital signature, their legal status is yet to be well-defined
and interpreted since the validity of digital signatures has not yet been challenged
in any Indian court.”
The good thing about digital certificates is that you do not
need to buy expensive software to use them. The features needed to support digital
certificates are built into operating systems and messaging applications including
the ubiquitous Outlook/Outlook Express and Notes/Domino. However, companies
deploying this technology will have to buy certificates from a CA, and the pricing
varies on the use to which a certificate is put.
Costs vary for the three classes of digital certificates. Class 1 is for e-mail.
Class 2 is for forms and electronic contracts. Class 3 is for high-assurance
certification such as VPN. Irrespective of the class, pricing is on a per-user
basis. For Class 1 it works out to about Rs 500 per user. For Class 2 it is
Rs 2,000 to 3,000 per user, and for Class 3 it would be in the range of Rs 3,000
to 4,000 per user. This is one of the reasons why digital signatures are used
mostly by large companies.
- Legal recognition of digital signatures (section
5). "Where any law provides that information or any other matter
shall be authenticated by affixing the signature, or any document should
be signed or bear the signature of any person, then, notwithstanding
anything contained in such law, such requirement shall be deemed to
have been satisfied if such information or matter is authenticated by
the means of digital signature affixed in such manner as may be prescribed
by the Central Government."
- Electronic Record (Section 2(1) (t)).
"Means data, record or data generated, image or sound stored, received
or sent in an electronic form, or microfilm or computer generated micro-fiche."
- Legal recognition of Electronic Record (section
4). "Where any law provides that the information or any other
matter shall be in writing or in typewritten or printed form, then,
notwithstanding anything contained in such law, such requirement shall
be deemed to have been satisfied if such information or matter is: (a)
rendered or made available in an electronic form; and (b) accessible
so as to be usable for a subsequent reference."
- Secure Electronic Record (Section 14).
"Where any security procedure has been applied to an electronic
record at a specific point of time, then such record shall be deemed
to be a secure electronic record from such point of time to the time
of verification."
- Secure Digital Signature (Section 15).
"If, by application of a security procedure agreed to by the parties
concerned, it can be verified that a digital signature, at the time
it was affixed, was: (a) unique to the subscriber affixing it; (b) capable
of identifying such subscriber; (c) created in a manner or using a means
under the exclusive control of the subscriber and is linked to the electronic
record to which it relates in such a manner that if the electronic record
was altered the digital signature would be invalidated, then such digital
signature shall be deemed to be a secure digital signature."
- Certifying Authority (Section (2(1)(g)).
"Means a person who has been granted a licence to issue a Digital
Signature Certificate under section 24" (issuance of certificates
by Controller).
- Treatment of Certification Authorities (Chapter
VI). "This Act authorises the Central Government to appoint
a Controller of Certifying Authorities. The duties of the Controller
are listed under Chapter VI of the Act, and include exercising supervision
over the activities of certification authorities and defining the duties
of these certification authorities."
Courtesy: Karnika Seth
|
Towards wider adoption
The adoption of digital signatures in India is still at an early stage. Though
the idea of digital signatures appears to be sound, it has not lived up to expectations.
At the moment, applications of digital signatures are limited to sectors such
as banking and financial services, online stock-trading portals, and engineering
conglomerates (to authenticate critical engineering drawings and documents).
The government is still stressing on e-governance as an effective delivery channel
of all government services to citizens. This just might provide the much needed
push to the adoption of this technology. However, huge resistance is being received
from users against the introduction of client-side digital certificates for
effective authentication. Till this resistance abates, digital signatures will
have to struggle for recognition.
Nevertheless, the trend is catching up, as Ram Babu, Country Head, Technology
Solutions at Standard Chartered Bank points out. “I feel that process simplification
and modification, and other enablers such as low cost and security, should help
Indian enterprises accept the technology and processes involved, and deploy
the solution at their end beyond what is currently being used.”
|