Professional Documents
Culture Documents
Chapter V
Digital Signature
The Information Technology many legal provisions assume the existence of paper
based records, documents signatures, etc. But these electronic means eliminate the need for
various paper transactions and demand necessary changes in. the legal system. Therefore, certain
have been taken to facilitate e-commerce, to protect the interest of the people using means of
information technology and also to make necessary changes in the Acts to information
technology, the Information Technology Act of 2000 has been passed the provisions of this Act
relating to digital electronic governance, electronic records and certifying authority which have
been prescribed for the examination.
DIGITAL SIGNATURE
The authority person done signatures on different papers, letters, documents, etc. in
to reveal our identity or to authenticate the documents. If the persons are illiterate have to put their
thumb impressions on the documents in order to make the documents by following certain
formalities. Signatures serve certain basic purposes. In the first place, a signature authenticates the
writing by identifying the signer with the material, letter, documents, etc. When a mark in a
distinctive manner is made signer, such Writing becomes attributable to the signer. Further, a
signature on any document often indicates or imparts a sense of clarity and also of finality to
transaction or substance. It also lessens the subsequent need to inquire beyond the face document.
For example, the amounts of cheques are paid to the concerned payee: verification of signatures of
the drawers with their specimen signatures. Secondly, the of signing the documents also calls to
the attention of the signer towards the importance of his or her act and thus, helps to prevent
inconsiderate A signature is required as one of the formal requirements for completing the
transactions according to the provisions of different Acts. A signature on any document indicates
the signer's approval or authorization of the writing on the document or his intention that it has the
legal effect.
The above mentioned are the basic purposes of obtaining signatures on the and
hence, the signer's authentication is considered very essential in the regime of but in the era of
“modern information technology, the traditional methods of and authenticating transactions are
rapidly becoming obsolete. If the Internet becomes widely accepted medium for commerce in India
and e-commerce increase in volume value, importance of digital signature and public key
infrastructure is sure to increase fact, digital signatures have multitude of applications which
include electronic interchange, electronic funds transfer contracts, authentication and certification,
etc. Obviously, the main objective is to enable the recipient to prove the identity of the signer sender
and also to guarantee the integrity of the data being transferred properly.
The provisions relating to the digital signature have been made in the Information
Technology Act of 2000. Section 2 (p) defines the term ‘Digital Signature ‘while Section 3 of the
IT. Act throws light on the authentication of electronic records. Further, Rules 3, 4 and 5 of the
Information Technology (Certifying Authorities) Rules, 2000 also make clear the manner in which
information is authenticated by means of digital signature, creation of digital signature and
verification of digital signature. Let us consider these aspects as per the provisions of the Act.
Subscriber means a subscriber is a person in whose name the digital signature certificate is
issued.
Explanation: Computer equipment and software utilizing two such keys are often termed as
"asymmetric cryptography".
(c) Creation of Digital Signature [Rule 4]:
To sign an electronic record or any other item of information, the signer shall first
apply the hash function in the signer's software; the hash function shall compute a hash result of
standard length which is unique (for all practical purposes) to the electronic record; the signer's
software transforming the hash result into a Digital Signature using signer's private key; the
resulting Digital Signature shall be unique to both electronic record and private key used to create
it; and the Digital Signature shall be attached to its electronic record and stored or transmitted
with its electronic record.
(d) Verification of Digital Signature [Rule 5]:
The verification of a Digital Signature shall be accomplished by computing a
new hash result of the original electronic record by means of the hash function used to create a
Digital Signature and by using the public key and the new hash result, the verifier shall check —
(i) if the Digital Signature was created using the corresponding private key; and
(ii) if the newly computed hash result matches the original result which was transformed
into Digital Signature during the signing process. The verification software will confirm the
Digital Signature as verified if —
(a) the signer's private key was used to digitally sign the electronic record, which is
known to be the case if the signer's public key was used to verify the signature because, the
signer's public key will verify only a Digital Signature created with the signer's private key; and
(b) the electronic record was unaltered, which is known to be the case if the hash
result computed by the verifier is identical to the hash result extracted from the Digital Signature
during the verification process.
(e) Meaning of important terms used in the above mentioned provisions:
There are various technical terms used in the Act. The meaning of these terms are
given, in the Schedule V appended to the Information Technology (Certifying Authorities)Rules
of 2000 under the heading "Glossary". The meanings of certain technical terms used in the above
mentioned provisions are given below for your ready reference.
(1) Electronic Record: ‘Electronic Record’ means data, record or data generated image or sound
stored, received or sent in an electronic form or microfilm or computer generated micro-fiche. .,
(2) Electronic Form: Electronic form with reference to information means any information
generated, sent, received or stored in media, magnetic, optical, computer memory, microfilm,
computer generated micro-fiche or similar device.
(3) Asymmetric Crypto System: A system of a secure key pair consisting of a private key for
creating a digital signature and a public key to verify the digital signature.
(4) Hash [Hash Function]: An algorithm that maps or translates one set of bits into another
(generally smaller) set in such a way that —
(i) A message yields the same result every time the algorithm is executed using the
same message as input.
(ii) It is computationally infeasible for a message to be derived or reconstituted from
the result produced by the algorithm.
(iii) It is computationally unfeasible to find two different messages that produce the
Digital signatures are well suited for wireless Internet-enabled devices. ‘Digital
signatures are definitely complementary to automation bringing various –benefits including faster,
more efficient processing and reduced error rates and administrative costs.
(2) Every such application shall be accompanied by such fee not exceeding twenty five
thousand rupees as may be prescribed by the Central Government, to be paid to the Certifying
Authority [Section 35 (2)]
It is provided that while prescribing fees under sub-section (2) different fees may be
prescribed for different classes of applicants [Proviso to Section 35 (2)].
(3) Every such application shall be accompanied by a certification practice statement
or where there is no such statement, a statement containing such particulars, as may be specified
by regulations [Section 35 (3)]
(4) On receipt of an application under sub-section (1), the Certifying Authority may,
after consideration of the certification practice statement or the other statement under sub-section
(3) and after making such enquiries as it may deem fit, grant the Digital Signature Certificate or
for reasons to be recorded in writing, reject the application [Section 35(4)]
It is provided that no Digital Signature Certificate shall be granted unless the
Certifying Authority is satisfied that —
(a) The applicant holds the private key corresponding to the public key to be listed in the
Digital Signature Certificate;
(b) The applicant holds a private key, which is capable of creating a digital signature;
(c) The public key to be listed in the certificate can be used to verify a digital signature
affixed by the private key held by the applicant [Proviso to Section 35 (4)]
It is provided further that no application shall be rejected unless the applicant has
been given a reasonable opportunity of showing cause against the proposed rejection. [Provision
to Section 35 (4)].
It should be noted that provision to Section 35 (4) lays down certain conditions.
If the Certifying Authority is not satisfied in that respect, the digital signature certificate is, then,
not granted.
[I] Rule 23 of the I.T. (C.A.) Rules, 2000 pertaining to the provisions of Section 35
Rule 23 says that, "The Certifying Authority shall, for issuing the Digital Signature
Certificates, while complying with the provisions of section 35 of the Act, also Comply with
the following, namely —
(a) the Digital Signature Certificate shall be issued only after a Digital Signature
Certificate application in the form provided by the Certifying Authority has been submitted by the
subscriber to the Certifying Authority and the same has been approved by it:
Provided that the application form contains, inter alia, the particulars given in the Modal
Form given in Schedule IV;
(b) No interim digital Signature Certificate shall be issued;
(c) The Digital Signature Certificate shall be generated by the Certifying Authority
upon receipt of an authorized and validated request for —
(i) New Digital Signature Certificates;
(ii) Digital Signature Certificates Renewal;
(d) The Digital Signature Certificate must contain or incorporate, by reference
such information, as is sufficient to locate or identify one or more repositories in
which revocation or suspension of the Digital Signature Certificate will be listed,
if the Digital Signature Certificate is suspended or revoked;
(e) The subscriber identity verification method employed for issuance of Digital
Signature Certificate shall be specified in the Certification Practice Statement
and shall be subject to the approval of the Controller during the application for a
license;
(f) Where the Digital Signature Certificate is issued to a person (referred to in this
clause as a New Digital Signature Certificate) on the basis of another valid Digital
Signature Certificate held by the said person (referred in this clause as an
originating Digital Signature Certificate) and subsequently the originating Digital
Signature Certificate has been suspended or revoked, the Certifying Authority that
issued the new Digital .Signature Certificate shall conduct investigations to
determine whether it is necessary to suspend or revoke the new Digital Signature
Certificate;
(g) The Certifying Authority shall provide a reasonable opportunity for the
subscriber to verify the contents of the Digital Signature Certificate before it is
accepted;
(h) If the subscriber accepts the issued Digital Signature Certificate, the
Certifying Authority shall publish a signed copy of the Digital Signature
Certificate in a repository;
(i) Where the Digital Signature Certificate has been issued by the licensed
Certifying Authority and accepted by the subscriber, and the certifying
Authority comes to know of any fact, or otherwise, that affects the validity or
reliability of such Digital Signature Certificate, it shall notify the same to the
subscriber immediately;
(j) All Digital Signature Certificates shall be issued with a designated expiry
date.
ELECTRONIC RECORDS
In Chapter IV of the I.T. Act of 2000, under the heading "Attribution,
Acknowledgement and Dispatch of Electronic Records, provisions have been made relating to
Attribution of electric records [Section 11], acknowledgement of receipt [Section 12] and time
and place of dispatch and receipt of re-electronic record [Section 13]. These sections are
given below.
(2) Where the originator has stipulated that the electronic record shall be binding only on
receipt of an acknowledgement of such electronic record by him, then, unless acknowledgement
has been so received, the electronic record shall be deemed to have been
never sent by the originator [Section 12 (2)]
(3) Where the originator has not stipulated that the electronic record shall be binding only on
only on receipt of such acknowledgement, and the acknowledgement has not been received
by the originator within the time specified or agreed or, if no time has been specified or agreed to
within a reasonable time, then, the originator may give notice to the addressee stating that no
acknowledgement has been received by him and specifying a reasonable time by which the
acknowledgement must be received by him and if no acknowledgement is received within the
aforesaid time limit he may after giving notice to the addressee, treat the electronic record as
thought has never been sent [Section 12 (3)]
CERTIFYING AUTHORITIES
In order to avoid forgery, deceit, etc. in online authentication, a certifying
authority is required. A certifying authority's real task is to associate the public key to the actual
holders. A person who has been granted necessary license to issue a digital signature certificate
under Section 24 of the I.T. Act of 2000 becomes a Certifying Authority. The Certifying
Authorities are passed down the trust to license holders and subscribers by a supreme authority.
The supreme authority in India is the Controller who is appointed according to the provisions of
Section 17 of the I.T. Act of 2000. The Controller of Certifying Authorities has to perform certain
functions which are stated in Section 18 of the I.T. Act of 2000. The regulation of certifying
authorities is very essential and important in order to maintain the trust. From this point of view,
various provisions have been made in the Chapter VI of the I.T. Act of 2000, under the heading
"Regulation of Certifying Authorities"
This Chapter VI includes eighteen sections making the provisions relating to the
appointment of controller of Certifying authorities and other officers, functions of controller,
license to issue digital signature certificates, application, renewal, suspension etc. of license and
certain other related aspects. Besides these provisions, we also find the rules made in the
Information Technology (Certifying Authorities) Rules of 2000 pertaining to licensing of the
Certifying Authorities, submission of application for a licensed certifying authority, etc. This is, in
fact, the core part of the I.T. Act. Let us now consider the provisions of the I.T. Act of 2000
relating to the regulation of certifying authorities and important rules of the Information
Technology (Certifying Authorities) Rules of 2000. But before that let us study the provisions of
this Act relating ‘to appointment and functions of the controller.
Appointment of the Controller of Certifying Authorities and other Officers [Section 17]
Section 17 of the I.T. Act of 2000 provides for the appointment of the Controller of
Certifying Authorities and other officers to regulate the Certifying Authorities. The
provisions of Section 17 are given below :
(1) The Central Government may, by notification in the Official Gazette, appoint a
Controller of Certifying Authorities for the purposes of this Act and may also by the same or
subsequent notification, appoint such number of Deputy Controllers and Assistant Controllers as it
deems fit [Section 17 (1)]
(2) The Controller shall discharge his functions under this Act subject to the general
control and directions of the Central Government [Section 17 (2)]
(3) The Deputy Controllers and Assistant Controllers shall perform the functions assigned
to them by the Controller under the general superintendence and control of the Controller [Section
17 (3)]
(4) The qualifications, experience and terms and conditions of service of Controller,
Deputy Controllers and Assistant Controllers shall be such as may be prescribed by the Central
Government [Section 17 (4)]
(5) The Head Office and Branch Office of the office, of the Controller shall be at such
places as the Central Government may specify, and these may be established at such places as the
Central Government may think fit [Section 17 (5)]
(6) There shall be a seal of the Office of the Controller [Section 17 (6)]
According to the provisions of Section 17, the Controller of the Certifying Authorities
has been appointed. The Controller of the Certifying Authorities has to discharge all functions
mentioned in Section 18 of this Act subject to the general control and directions of the Central
Government.
In order to assist the Controller of Certifying Authorities, the Central Government is
empowered to appoint such number of Deputy Controllers and Assistant Controllers as the
Central Government deems it [Section 17 (1)]. The Deputy Controllers and Assistant Controllers
perform the functions assigned to them by the Controller of Certifying Authorities under his
general superintendence and control [Section 17 (3)]
‘procedure prescribed, the Controller issues or grants the license. The provisions relating to issue
of license, its application, etc. have been made in Chapter VI of this Act. They are given below.
License to Issue Digital Signature Certificates [Section 21]
For getting the license from the Controller, an application in the prescribed form is
required to be made to the Controller along with the prescribed non-refundable fee [which is Rs.
25,000] and other documents as may be prescribed by the Central Government. The controller of
the Certifying Authorities after considering the application and on fulfilment of other conditions
prescribed in this Act and Rules made under the Information Technology (Certifying Authorities)
Rules of 2000 may grant the license. He may also reject the application after giving reasonable
opportunity of being heard [Section 24]. The persons who can make the application for grant of
license to issue digital signatures certificate is given in Rule 8 of the Information Technology
(Certifying Authorities) Rules of 2000. The Rules are also made in respect of location of facilities,
submission of application, fee, suspension of license, etc. All these rules are given below along
with the concerned provisions of the sections included in Chapter VI of the I.T. Act, 2000. The
provisions of Section 21 relating to license to issue digital signature certificates are given below.
(1) Subject to the provisions of sub-section (2), any person may make an application, to
the Controller, for a license to issue Digital Signature Certificates [Section 21 (1)].
(2) No license shall be issued under sub-section (1), unless the applicant fulfills such
requirements with respect to qualification, expertise, manpower, financial resources and
other infrastructure facilities, which are necessary to issue Digital Signature Certificates
as may be prescribed by the Central Government [Section 21 (2)]
(3) A license granted under this section shall —
(a) be valid for such period as may be prescribed by the Central Government;
(b) not be transferable or heritable;
(c) be subject to such terms and conditions as may be specified by the regulations under
[Section 21 (3)].
Digital signatures alone do not fulfill the need for the trust and authentication. There
is yet another aspect required to develop a trusted environment for online business transactions. In
fact, digital signatures rely on “Public Key Infrastructure" in which "Certifying Authorities" act as
the trusted third parties for identification and authentication. The important job of certifying
authorities is to associate the public key to the actual holders.
It should be noted here that Public Key Infra-structure or PKI is the architecture,
organization, techniques, practices and procedures that collectively support the implementation
and operation of a certificate based public key cryptographic system and it includes a set of
policies, processes, server platforms, software and Workstations used for the purpose of
administering digital signature certificates and keys.
The provisions under Section 30 make clear that the Certifying Authority has to
follow certain procedure in respect of digital signatures. Section 30 states that, "Every Certifying
Authority shall -
(a) make use of hardware, software and procedures that are secured from intrusion and
misuse;
(b)provide a reasonable level of reliability in its services which are reasonably suited to
the performance of intended functions;
(c) adhere to security procedures to ensure that the secrecy and privacy of the digital
signatures are assured; and
(d) observe such other standards as may be specified by regulations".
(b) Certifying Authority has to ensure the compliance of this I.T. Act [Section 31]
It is the duty and responsibility of the Certifying Authority to ensure that every person
employed by the Certifying Authority complies with the provisions of the I.T. Act, 2000 or rules,
regulations made thereunder. According to Section 31, "Every Certifying Authority shall ensure
that every person employed or otherwise engaged by it complies, in the course of his employment
or engagement, with the provisions of this Act, rules, regulations and orders made thereunder".
(c) Duty or responsibility of Certifying Authority to display its license [Section 32]
It is laid down in Section 32 that, "every Certifying Authority shall display its license
at a conspicuous place of the premises in which it carries on its business".
(d) Duty or responsibility of Certifying Authority to surrender its license [Section 33]
Section 33 states that, (1) Every Certifying Authority whose license is suspended or
revoked shall immediately after such suspension or revocation, surrender the license to
the Controller [Section 33 (1)].
(2) Where any Certifying Authority fails to surrender a license under sub-section (1),
The person in whose favor a license is issued, shall be guilty of an offence and shall be punished
with imprisonment which may extend up to six months or a fine which may extend up to ten
thousand rupees or with both [Section 33 (2)].
Subscriber
A person in whose name the [Electronic Signature] Certificate is issued Generating Key
Pair.
(2) By accepting a Digital Signature Certificate the subscriber certifies to all who
reasonably rely on the information contained in the Digital Signature Certificate that –
(a) The subscriber holds the private key corresponding to the public key listed in
the Digital Signature Certificate and is entitled to hold the same;
(b) All representations made by the subscriber to the Certifying Authority and all
material relevant to the information contained in the Digital Signature Certificate are true;
(c) All information in the Digital Signature Certificate that is within
the knowledge of the subscriber is true.
Explanation - For the removal of doubts, it is hereby declared that the subscriber shall be liable
till he has informed the Certifying Authority that the private key has been compromised.