THE LAW AND TECHNOLOGY OF DIGITAL SIGNATURES IN INDIA

Embed Size (px)

Citation preview

  • 8/7/2019 THE LAW AND TECHNOLOGY OF DIGITAL SIGNATURES IN INDIA

    1/26

    THE LAW AND TECHNOLOGY OF DIGITAL SIGNATURES IN INDIA

    Chapter-1

    OBJECTIVE AND DEFINITION OF DIGITAL SIGNATURES

    Electronic transactions are fast emerging as an alternative means of carrying out

    transactions instead of paper based transactions. However with the increase in the

    transactions taking place on the internet the issue of authenticity and veracity was

    looming large. Contracts worth huge sum of money were being entered into

    without ensuring the validity and authenticity of the parties.

    Traditionally hand written signatures were used for the following purposes;

    a) To identify a person, by signing the signatory marks the text in his/her ownunique way and makes it attributable to him/her.

    b) To validate the personal involvement of the person in the act of signing.c) To associate the signer with the content of the document , or as a proof the

    signers intention that it has legal effect.

    d) To attest to the intent of a party to be bound by the signed contract.e) To show the intent of a person to endorse authorship of a text.f) To show intent of the person to associate himself with the content of a

    document written by someone else;

    g) As a matter of ceremony signing calls to the signer attention the legalsignificance of his act;

    h) To provide efficiency and logistics along with clarity.

    Similarly a need was felt to incorporate an instrument that would validate online

    transactions. using the technology of cryptography, the concept of Digital

  • 8/7/2019 THE LAW AND TECHNOLOGY OF DIGITAL SIGNATURES IN INDIA

    2/26

    Signatures was introduced. The UNCITRAL Model Law on E-Commerce is based

    on the recognition of the functions of a signature in the paper form. It focuses on

    the 2 basic functions of a digital signature namely;

    a) Identifying the author of a document

    b) Confirming the approval of the content by the author.

    In the electronic environment basic legal functions of a signature are performed by

    way of a method that identifies the originator of a data message and confirms that

    the originator approved the content of the data message. This method uses the

    techniques of cryptography and encryption. Public key cryptography is an

    asymmetric scheme that uses a pairof keys for encryption: a public key, which

    encrypts data, and a corresponding private, orsecret key for decryption. You

    publish your public key to the world while keeping your private key secret.

    Anyone with a copy of your public key can then encrypt information that only you

    can read.

    The primary benefit of public key cryptography is that it allows people who have

    no pre existing security arrangement to exchange messages securely. The need for

    sender and receiver to share secret keys via some secure channel is eliminated; all

    communications involve only public keys, and no private key is ever transmitted or

    shared. The use of public key cryptography is made in digital signatures. They are

    signatures used for marking or signing an electronic document. The process is

    analogous to the paper based signatures and it is a digital code that can be attached

    to an electronically attached message that uniquely identifies the sender and

    ensures that the document has not been altered.

  • 8/7/2019 THE LAW AND TECHNOLOGY OF DIGITAL SIGNATURES IN INDIA

    3/26

    As is the case with Electronic Data Interchange (EDI), the process of creating and

    verifying digital signatures can be completely automated with minimal human

    interaction. Compared to the tedious and labour-intensive paper methods such as

    checking specimen signature cards, digital signatures yield a high degree of

    assurance without adding greatly to the resources required for processing

    documents.

    The following representation gives an illustration as to how digital signatures are

    created and verified;

    CREATION OF DIGITAL SIGNATURES

    Message

    Message Hash Function Hash Result Signing function Digital Signature--

    To verifier

    Private Key

    VERIFICATION OF DIGITAL SIGNATURES

    Message Hash Function Hash Result

    FROM SIGNERDigital Signature verify function

    VALID YES/NO?Public key

  • 8/7/2019 THE LAW AND TECHNOLOGY OF DIGITAL SIGNATURES IN INDIA

    4/26

    A digital signature serves the same purpose as a handwritten signature. However, a

    handwritten signature is easy to counterfeit. A digital signature is superior to a

    handwritten signature as it is nearly impossible to counterfeit, plus it attests to the

    contents of the information as well as to the identity of the signer.

    The advantages of digital signatures are;

    a) Uniqueness

    b) Inability to forge

    c) Ease of authentication

    d) Impossibility of denial

    e) Economy of generation

    f) Ease of generation

    Digital Signature means the authentication of any electronic record by a subscriber

    by means of electronic method or procedure in accordance with the provisions of

    section 3, which provides that any subscriber may authenticate an electronic record

    by affixing his digital signature. The authentication of an electronic record shall be

    affected by the use of asymmetric cryptosystem and hash function which transform

    the initial electronic record into another electronic record. It further states that any

    person by the use of the public key of the subscriber can verify the electronic

    record. The private and the public key are unique to the subscriber and constitute a

    functioning key pair. The American Bar Association defines Digital Signatures as

    an electronic signature created and verified by means of cryptography, the branch

    of applied Mathematics that concerns itself with transforming messages into

    seemingly unintelligible forms and back again. In the United States at least 36

    states have enacted or are in the process of enacting a legislation

    legitimizing digital signatures.

  • 8/7/2019 THE LAW AND TECHNOLOGY OF DIGITAL SIGNATURES IN INDIA

    5/26

    A digital signature must ensure that it accomplishes the following purposes;

    Signer authentication: If a public and a private key pair are associated with an

    identified signer, the digital signature attributes the message to the signer. The

    signature must indicate by whom the document or message is signed and shall be

    difficult for any other person to produce without authorization.

    Document/message authentication: The digital signature identifies the signed

    message with much greater certainty and precision than paper signatures. The

    signature must comprise of a non repudiation service, which provides proof of the

    origin or delivery of data in order to protect the sender against false denial by the

    recipient or the sender that the data has been received or sent.

    Affirmative Act: Serving the ceremonial and approval functions of the signature, a

    person should be able to create a signature to mark the event, indicate approval and

    authorization and establishing legal consequences.

    Efficiency: Generally a signature must be able to provide the best possible

    authenticity and validity with the least possible expenses.

    From the above discussion we can conclude that Digital signatures are signatures

    which are used to authentic and validate electronic transactions on the internet

    through the use of technology.

    To give legality to the use of digital signatures in India, the Information

    Technology Act, 2000 recently amended in 2008 has incorporated provisions

    recognizing digital signature, one of the forms of electronic signatures as a means

    to authenticate electronic transactions which shall be discussed in detail in the

    subsequent chapterChapter-2

    TECHNOLOGY BEHIND DIGITAL SIGNATURES

  • 8/7/2019 THE LAW AND TECHNOLOGY OF DIGITAL SIGNATURES IN INDIA

    6/26

    Digital signatures are signatures which make use of a technology which is very

    specific in nature and requires expertise and understanding of various technologies

    required to obtain digital signatures. One such technology as introduced briefly in

    the previous chapters is cryptography; it is the practice and study of hiding

    information. The application of cryptography can be had in ATM cards, computer

    passwords and Ecommerce. A cryptographic algorithm, or cipher, is a

    mathematical function used in the encryption and decryption process. A

    cryptographic algorithm works in combination with a keya word, number, or

    phraseto encrypt the plaintext.

    The same plaintext encrypts to different cipher text with different keys. The

    security of encrypted data is entirely dependent on two things: the strength of the

    cryptographic algorithm and the secrecy of the key. The science of cryptography

    further includes Encryption and decryption techniques. In these two keys are

    involved, a public key and a private key. Each user has a pair of keys of which the

    private key is kept secret and the public key is made open to all. If X wants to send

    a message to Y, Y shall encrypt the message with Ys Public Key and send it to Y.

    The message shall be seen only by Y. This ensures the following purposes;

    a) it protects the information contentb) establishes the authenticity of the sending partyc) preventing undetected modification of the messaged) preventing repudiatione) preventing unauthorized use

    Cryptography can be symmetric as well as asymmetric, in case of a symmetric

    cryptography, only one key is used to encrypt as well as decrypt a message

  • 8/7/2019 THE LAW AND TECHNOLOGY OF DIGITAL SIGNATURES IN INDIA

    7/26

    whereas in case of asymmetric cryptography a pair key is used to encrypt as well

    as decrypt a message. Cryptography can be traced back to a paper published by

    Whitfield Diffie and Martin Hellman proposed the notion ofpublic-key (also, more

    generally, called asymmetric key) cryptography in which two different but

    mathematically related keys are used a public key and a private key.

    In 1977, a year after the publication of the Diffie-Hellman paper, three researchers

    at MIT developed a practical method using the suggested ideas. This became

    known as RSA, after the initials of the three developers -- Ron Rivest, Adi Shamir,

    and Leonard Adelman -- and is probably the most widely-used public key

    cryptosystem. It was b patented in the US in 1983, duly adopted as a standard, and

    has always been widely available outside the US in implementations developed

    locally even though, until recently, its export was restricted. In addition to being

    the first publicly known examples of high quality public-key algorithms, have been

    among the most widely used. Others include the Cramer-Shoup cryptosystem,

    ElGamal encryption. A digital signature is a two way process involving the signer

    i.e a creator of the digital signature and the recipient i.e the verifier of the digital

    signature.

    Creating a digital signature involves the following steps;

    a) The signer demarcates what is to be signed which is termed as the message.b) A HASH function computes a hash result unique to the message.c) The signers software encrypts the hash result into a digital signature using

    the signers private key. The resulting digital signature is thus unique to both

    the message and the private key used to create it.

    d) The digital signature is attached to the message and stored or transmittedwith its message.

  • 8/7/2019 THE LAW AND TECHNOLOGY OF DIGITAL SIGNATURES IN INDIA

    8/26

    Verifying a digital signature involves the following steps;

    a) The recipient receives the digital signature and the message.b) The recipient applies the signers public key on the digital signaturec) Recipient recovers the hash result or the message digest from the digital

    signature

    d) The recipient creates a new hash result with the same hash function used bythe signer to create the digital signature.

    e) The two hash results are compared and if the same are identical then itimplies that the

    message is unaltered.

  • 8/7/2019 THE LAW AND TECHNOLOGY OF DIGITAL SIGNATURES IN INDIA

    9/26

    Chapter-3

    DIGITAL SIGNATURE CERTIFICATES; PROCEDURE AND

    AUTHORITIES

    Digital signatures are a means to ensure validity of electronic transactions however

    who guarantees about the authenticity that such signatures are indeed valid or not

    false. In order that the keys are secure the parties must have a high degree of

    confidence in the public and private keys issued. The user must have confidence in

    the skill, knowledge and security arrangements of the parties issuing the public and

    private keys. This brings in the role of TTPs or CAs, TTPs or CAs help in

    establishing what is known as a public key infrastructure. A public key

    infrastructure helps to provide confidence that;

    a) A users public key has not been tampered with and it corresponds to theusers private key.

    b) The entities issuing cryptographic keys can be trusted to retain or recreatethe public and private keys that may be used for confidentiality encryption

    where the use of such a technique is authorized.

    There is often a possibility of what is referred to as the man in middle attacks,

    these are instances wherein a person uses a false key and intercepts a message

    between two individuals, obtains the key of anyone through the false key and can

    alter the message. In a public key environment, it is vital that you are assured that

    the public key to which you are encrypting data is in fact the public key of the

    intended recipient and not a forgery. One can encrypt only to those keys which

    have been physically handed to him. However in case a person is completely

    unknown or has never met then in such cases it is essential for a trustworthy

    authority to step in. The purpose of a trusted third party is that with the help of a

    certificate the prospective signer is associated with a key pair. This certificate that

  • 8/7/2019 THE LAW AND TECHNOLOGY OF DIGITAL SIGNATURES IN INDIA

    10/26

    binds the key with a particular holder is referred to as the digital signature

    certificate. Certifying authorities issue certificates based on classes, class I

    certificates are issued to individuals, business and government organizations,

    primarily used for web browsing and personal e-mails. Class II certificates may be

    issued to individuals belonging to business and government organizations that are

    ready to assume the responsibility of verifying the accuracy of information

    submitted to the individual. It is used primarily for organizations functional and

    administrative needs. Class III certificates may be issued for both individuals and

    organizations, are used primarily for e-commerce applications such as electronic

    banking, EDI and membership based on-line services.

    A recipient of the certificate desiring to rely upon an electronic signature created

    by the holder named in the certificate can use the public key listed in the certificate

    to verify that the electronic signature was created with the corresponding private

    key. The digital signature certificates are issued by the certifying authorities who

    are recognized by the controller of certifying authority which is a root certifying

    authority in India. The Information Technology Act, 2000 defines a certifying

    authority as one which has been granted a license to issue an electronic signature

    certificate under section. It is important to note here that the term digital signatures

    has been replaced with the term electronic signatures apparently to make the use

    more technology neutral as earlier digital signatures was being referred to as much

    more technology specific, however since the provisions of the Act are yet to be

    notified therefore the amendment cannot be utilized at present.

    Chapter VI of the Act provides for regulation of certifying authorities17 Section 17

    provides for the appointment of controller by the central government by

    notification in the official gazette. The controller shall perform such functions as

  • 8/7/2019 THE LAW AND TECHNOLOGY OF DIGITAL SIGNATURES IN INDIA

    11/26

    the central government may direct. The qualifications, experience and terms and

    conditions of service of controller shall be prescribed by the central government.

    There shall be a seal of the office of the controller and the head office as well as

    the branch office of the controller shall be at such places as the central government

    may specify.

    Section 18 provides for the functions that the controller may perform. There have

    been many foreign certifying authorities that issue digital signature certificates in

    India. Section 19 of the Act provides for the recognition of foreign certifying

    authorities, the section further prescribes that in case the authority contravenes any

    of the conditions and restrictions subject to which it is granted recognition then the

    controller may revoke such a recognition.

    The controller of certifying authorities has established the Root Certifying

    Authority. It is established under section 18(b) of the Information Technology Act,

    2000 to certify public keys of all certifying authorities in India. Root certificate is a

    self signed certificate that identifies the Root Certification Authority. A certificate

    authority can issue multiple certificates in the form of a tree structure. A root

    certificate is the top most certificate in the tree, the private key of which is used to

    sign all other certificates. A root certificate helps the certificates to inherit the

    trustworthiness.

    Section 21 of the Act provides for license to issue electronic signature certificates

    before the Controller of certifying authority. The license once granted shall be non

    transferable and non heritable. Every application for issue of a license shall be in

    the prescribed form as may be directed by the government. Section 22(2) provides

    that every application for the issue of license shall be accompanied by

  • 8/7/2019 THE LAW AND TECHNOLOGY OF DIGITAL SIGNATURES IN INDIA

    12/26

    a) A certification practice statementb) A statement including the procedures with respect to identification of the

    applicant

    c) Payment of such fee not exceeding 25000 as may be prescribed by thecentral government.

    The Act also lays down the provisions for the procedure of grant or rejection of

    license as well as the renewal of license.

    It must be noted here that the application for licensed certifying authority shall be

    made in the prescribed format provided under Rule 10 of the Information

    Technology (certifying Authorities) rules, 2000. The application for grant of a

    license shall be accompanied by a non refundable fee of 25000, provided under

    Rule 11 of the Rules.

    The Act prescribes that every certifying Authority must follow certain procedures;

    a) Make use of hardware, software and procedures that are secure fromintrusion or misuse.

    b) Provide a reasonable level of reliabilityc) Adhering to security provisions to ensure that secrecy and privacy of digital

    signatures is assured.

    d) Become the repository of all electronic signature certificate issued under theAct

    e) Publish information regarding its practices, electronic signature certificatesand current status of such certificate.

  • 8/7/2019 THE LAW AND TECHNOLOGY OF DIGITAL SIGNATURES IN INDIA

    13/26

    Section 35 prescribes the certifying authority to issue electronic signature

    certificates. A certifying authority while issuing digital signatures shall certify

    amongst other factors that the subscriber holds the private key corresponding to the

    public key listed in the Digital signature certificate. The subscriber holds a private

    key which is capable of creating a digital signature. The public key to be listed in

    the certificate can be used to verify a digital signature affixed by the private key

    held by the subscriber. The subscribers public key and private key constitute a

    functioning pair. The information contained in the certificate is accurate.

    Section 37 and section 38 prescribe for the conditions when the digital signature

    may be revoked or suspended. Section 39 provides that where a digital signature

    certificate has to be revoked or suspended a notice of suspension or revocation

    shall be given.

    Chapter VIII provides for the duties of subscribers which include the generation of

    a key pair(section 40), acceptance of digital signature certificate(Section 40),

    exercising reasonable care to retain control over private key corresponding to the

    public key listed in the digital signature certificate and to take steps to prevent its

    disclosure and in case the private key corresponding to the public key listed in the

    digital signature certificate has been compromised the same shall be communicated

    to the certifying authority without delay.

    The central government under section 87 of the Act has the powers to make rules

    and consequently the Information Technology Certifying Authority Rules (2000)

    were framed. Rule 3 provides that a digital signature shall be created and verified

    by cryptography that concerns itself with transforming electronic record into

    seemingly unintelligible forms and back and again. It shall also use public key

  • 8/7/2019 THE LAW AND TECHNOLOGY OF DIGITAL SIGNATURES IN INDIA

    14/26

    cryptography and hash function necessary for creating and verifying a digital

    signature. Rule 4 provides for the procedure of creation of digital signature, the

    signer shall apply the hash function in the signers software, thereafter the hash

    function shall compute a hash result of standard length which is unique to the

    electronic record, the signers software shall transform the hash result into digital

    signature using signers private key and the resulting digital signature shall be

    unique to both the electronic record and private key used to create it and the digital

    signature shall be attached to its electronic record and stored or transmitted with its

    electronic record.

    Rule 5 provides for the verification of the digital signature, the process being same

    as discussed previously. Rule 8 prescribes for the persons who may apply for grant

    of license to issue digital signature certificates. Rule 13 to 17 provide for validity,

    suspension, renewal, issuance and refusal of license. Rule 23 provides for

    compliances by the certifying authorities in addition to the requirements under

    section 35 of the Act;

    (a) The Digital Signature Certificate shall be issued only after a Digital Signature

    Certificate application in the form provided by the Certifying Authority has been

    submitted by the subscriber to the Certifying Authority and the same has been

    approved by it:

    Provided that the application Form contains the particulars given in the Form given

    in

    Schedule-IV;

    (b) No interim Digital Signature Certificate shall be issued;

    (c) The Digital Signature Certificate shall be generated by the Certifying Authority

    upon receipt of an authorised and validated request for:-

    a. New Digital Signature Certificates;

  • 8/7/2019 THE LAW AND TECHNOLOGY OF DIGITAL SIGNATURES IN INDIA

    15/26

    b. Digital Signature Certificates renewal;(d) The Digital Signature Certificate must contain or incorporate, by reference such

    information, as is sufficient to locate or identify one or more repositories in which

    revocation or suspension of the Digital Signature Certificate will be listed, if the

    Digital Signature Certificate is suspended or revoked;

    (e) The subscriber identity verification method employed for issuance of Digital

    Signature Certificate shall be specified in the Certification Practice Statement and

    shall be subject to the approval of the Controller during the application for a

    licence;

    (f)Where the Digital Signature Certificate is issued to a person (referred to in this

    clause as a New Digital Signature Certificate) on the basis of another valid Digital

    Signature Certificate held by the said person (referred in this clause as an

    Originating Digital Signature Certificate) and subsequently the originating Digital

    Signature Certificate has been suspended or revoked, the Certifying Authority that

    issued the new Digital Signature Certificate shall conduct investigations to

    determine whether it is necessary to suspend or revoke the new Digital Signature

    Certificate;

    (g) The Certifying Authority shall provide a reasonable opportunity for the

    subscriber to verify the contents of the Digital Signature Certificate before it is

    accepted;

    (h) If the subscriber accepts the issued Digital Signature Certificate, the Certifying

    Authority shall publish a signed copy of the Digital Signature Certificate in a

    repository;

    (i) Where the Digital Signature Certificate has been issued by the licensed

    Certifying Authority and accepted by the subscriber, and the Certifying Authority

    comes to know of any fact, or otherwise, that affects the validity or reliability of

  • 8/7/2019 THE LAW AND TECHNOLOGY OF DIGITAL SIGNATURES IN INDIA

    16/26

    such Digital Signature Certificate, it shall notify the same to the subscriber

    immediately;

    (j) All Digital Signature Certificates shall be issued with a designated expiry date.

    Rule 25 provides that before issuing digital signature certificates the certifying

    authority shall confirm that the users name does not appear in the list of

    compromised users, comply with all privacy statements, obtain consent of the

    person requesting the digital signature certificate that the details of such digital

    signature certificate can be published on a directory service. Rule 26 prescribes for

    all digital signature certificates to have a designated expiry date after which the

    certificate shall expire and shall not be re-used.

  • 8/7/2019 THE LAW AND TECHNOLOGY OF DIGITAL SIGNATURES IN INDIA

    17/26

    Chapter-4

    RECENT AMENDMENTS IN VARIOUS ENACTMENTS PERTAINING

    TO DIGITAL SIGNATURES

    The primary legislation that deals with Digital Signatures is the Information

    Technology

    Act, 2000, the Act has been recently amended in the year 2008 but is yet to be

    notified, at many places the words Digital Signatures have been replaced with

    electronic signatures primarily to make the system more technology neutral in

    contrast to technology specific. The shortcoming which was prevalent in the

    unamended act and which was widely criticized was that asymmetric cryptography

    system was made with specific reference to digital signatures and any other means

    of authentication that did not use this technology were not recognized under the

    Act.

    Section 73 of the Act provides for penalty in case of publication of false electronic

    signature certificates. no person shall publish an electronic signature certificate or

    make it available to any person if the certifying authority listed in the certificate

    has not issued it, or the subscriber listed in the certificate has not accepted it or the

    certificate has been revoked or suspended, unless such publication is for the

    purpose of verifying an electronic signature created prior to such suspension or

    revocation. Any contravention of the provisions under this section shall entail a

    punishment of 2 years and a fine of Rs 1 lakh.

    Section 74 deals with the case where publication, creation or making available of

    the electronic signature certificate for any fraudulent purpose has been made shall

  • 8/7/2019 THE LAW AND TECHNOLOGY OF DIGITAL SIGNATURES IN INDIA

    18/26

    be punished with imprisonment up to 2 years or fine up to 1 lakh rupees or both.

    After the introduction of Digital Signatures there have been various amendments to

    give legal validity to these instruments however amongst all the Indian Evidence

    Act, 1872 has witnessed the most significant amendments.

    Section 3 of the Act, which consisted of only documents was substituted with

    electronic records produced for the inspection of the courts, implying that all

    audio, video, data text or multimedia files generated, stored, received or sent in

    electronic form or microfilm or computer generated micro film could be produced

    for inspection of the court and such electronic records shall be treated as

    documentary evidence under the Indian Evidence Act, 1872.

    Section 17 of the Indian Evidence Act reads that an admission is a statement, oral

    or documentary contained in an electronic form, which suggests any inference as to

    any fact in issue or relevant fact and which is made by any of the persons and

    under the circumstances, hereinafter mentioned. This has led the admissibility of

    evidences made through the electronic media, video conferences etc.

    Section 22A assumes great importance with respect to digital signatures, the

    section provides that oral admissions as to the contents of the electronic records are

    not relevant, unless the genuineness of the electronic record is produced in

    question. The genuineness and the authenticity of the e-record shall be made out

    when the same has been electronically signed. A digitally signed e-record is a

    relevant fact and oral admissions as to the contents of the record are relevant.

    Further sections 34, 35 and 39 and 59 have been amended to include electronic

    records thus giving authenticity to electronic documents as evidence in courts.

  • 8/7/2019 THE LAW AND TECHNOLOGY OF DIGITAL SIGNATURES IN INDIA

    19/26

    Section 47A prescribes that where the opinion of the certifying authority which

    issues a digital signature certificate shall be a relevant fact when the court has to

    form an opinion as to the digital signature of any person.

    Section 65A prescribes for relevancy of electronic records which confirm to

    section 65B, which provides that any information contained in an electronic record

    in any form printed on paper, stored, recorded or copied in optical or magnetic

    media produced by a computer shall be deemed to be a document. The conditions

    under sub section (2) are necessary to identify whether the computer in question

    has properly processed, stored and reproduced whatever information it received.

    Sub-Section (4) of the Act provides for certifying a statement given in an e- record

    for the purpose of admissibility in any proceedings and the same shall be signed by

    a person occupying a position of responsibility.

    Section 67A provides for the proof as to Digital Signatures, if the digital signature

    of the subscriber is alleged to have been affixed to an electronic record the fact that

    the signature is that of the subscriber must be proved. This section mandates that

    proving that the digital signature is indeed of the subscriber and merely admitting

    the execution of ere cord by affixing digital signature is not sufficient. When a

    matter is pending before the court, it may wish to ascertain whether the digital

    signature which has been affixed is the same as that of the person to whom it is

    attributed.

    Section 73 A provides for the proof as to digital signatures, the court in such cases

    can direct the Certifying Authority or the person in question to produce the Digital

    Signature Certificate. It may also ask any person to apply the public key listed in

  • 8/7/2019 THE LAW AND TECHNOLOGY OF DIGITAL SIGNATURES IN INDIA

    20/26

    the digital signature certificate and verify the digital signature purported to have

    been affixed by that person.

    Section 85A prescribes for presumption as to electronic agreements; the court shall

    presume execution of an electronic agreement if the digital signatures of the parties

    to the electronic agreement have authenticated it.

    Section 85B prescribes that it shall be presumed that an electronic record is secure

    from the time where any security procedure, in the present situation a digital

    signature, has been applied to the time of verification unless anything contrary to it

    is proved. The court shall also presume that a secure electronic signature is affixed

    by the subscriber with the intention of signing or approving the electronic record.

    Section 85C provides that the court shall presume that the digital signature

    certificate is authentic and the information thus contained is valid and correct and

    to the extent of only the information that has been verified and not beyond that.

    Section 90A provides that where an electronic record is five years old and it is

    produced from the custody which is proper18 it may be presumed that the digital

    signature which purports to be the digital signature of any particular person was

    affixed by him or any person authorised by him in this behalf. As science and

    technology has developed enormously, there has been a need felt to improve the

    way transactions and contracts are conducted. The internet is considered as the best

    medium in the modern world to carry out transactions in an effective, cheaper and

    fast manner. In India Patent and Trademark filing manually is a cumbersome

    process; in order to make it more efficacious e-filing of patents and trademarks has

    been allowed. Through the use of digital signatures one can file for patent as well

  • 8/7/2019 THE LAW AND TECHNOLOGY OF DIGITAL SIGNATURES IN INDIA

    21/26

    as trademarks online. The benefits of e-filing of patents are that one receives a

    Patent application number immediately. Secondly, On-line verification to assure

    error-free filing and obtain your filing date. Thirdly, one can speed up the

    registration process. The Controller General of Patents, Designs and Trade Marks

    (CGPDTM) has stipulated a Class-III category certificate for e-Filing of Patent and

    Trade Marks applications in India. A person who already has a specified Digital

    Signature Certificate (DSC) for any other application can use the same for e-filing

    of a patent application and is not required to obtain a fresh DSC.

    The procedure for e-filing involves the use of a class-3 digital signature from any

    of the licensed certifying authorities.

    1. Thereafter one can login to the user name and password by applying foronline registration.

    2. Download the Client Software for preparing Patent Application Offline withrequired documents and Digitally Sign it for uploading on IPO Server.

    3. Fill Patent Application offline and generate an XML file using ClientSoftware.

    4. After creating application(XML) file offline, Digitally Sign the XMLfile(Max. file size permitted 5MB) for uploading on to the IPO Server.

    5. Login into e-Patent portal(http://ipindia.gov.in) for uploading ApplicationXML file on IPO Server.

    6. Upload & Submit Digitally Signed XML file to IPO Server.7. Process Application for EFT (Electronic Fund Transfer) using State Bank of

    India (SBI) & Axis Bank Payment Gateways.

    8. Review Application Status on e-Patent Portal.9. On successful EFT acknowledgement details would be displayed/

    generated.

    10.Print Acknowledgement

  • 8/7/2019 THE LAW AND TECHNOLOGY OF DIGITAL SIGNATURES IN INDIA

    22/26

    Banking in India has never been so trouble free after the introduction of e-banking.

    With the help of electronic banking transactions which generally took days to

    complete now are just a click away. The Negotiable Instruments Act, 1881, under

    section 6 explains that a cheque in the electronic form means a cheque which

    contains the exact mirror image of a paper cheque, and is generated, written and

    signed by a secure system ensuring the minimum safety standards with the use of

    digital signature (with or without biometrics signature) and asymmetric crypto

    system.

    The government of India in order to encourage electronic governance has

    introduced the MCA 21 program which is a flagship program of the ministry of

    corporate affairs. MCA-21 envisages electronic filing of these documents,

    including registration and records of a company, adaptation of all statutory forms

    for electronic filing, scanning and digitization of permanent records, annual returns

    and balance sheets. This necessitated an amendment to the Act, the Ministry said.

    The project commenced in March 2005 with the signing of a contract agreement

    with the operator Tata Consultancy Services Ltd. The project cost is estimated at

    Rs 345 crore22. The project would enable corporates to register a company and file

    statutory documents easily. It would also make it easy for the public to access

    relevant records and get quicker redressal of their grievances. The Companies

    (Electronic Filing and Authentication of Documents) Rules, 2006, provides for

    provisions concerning electronic filing, Rule 3 prescribes that every e-form or

    application or document or declaration required to be filed or delivered under the

    Act and rules made, shall be filed in computer readable electronic form, in portable

    document format (pdf) and authenticated by a managing director, director or

    secretary or person specified in the Act for such purpose by the use of a valid

  • 8/7/2019 THE LAW AND TECHNOLOGY OF DIGITAL SIGNATURES IN INDIA

    23/26

    digital signature. Every managing director, director or secretary or person specified

    in the Act for authentication of e-form, documents or application etc., which are

    required to be filed or delivered under the Act or rules made there under, shall

    obtain a digital signature certificate from the Certifying Authority for the purpose

    of such authentication and such certificate shall not be valid unless it is of Class II

    or Class III specification under the Information Technology Act, 2000 Act. The

    use of internet has been so vast that the government of India is now considering

    including the use of signatures on the mobile phone. We often use the internet for

    carrying out transaction on the mobile phone, such as mobile payment of bills,

    mobile banking etc. However, these transactions are neither authenticated nor

    secure. These transactions dont follow basic requirements of security and thus the

    need of mobile signatures is being felt. In the wake of increasing transactions over

    the mobile phone, The Department of Payments and Settlement of Reserve Bank

    of India has on September 19, 2008 issued Draft Operating Guidelines on Mobile

    Banking Transactions in India.

    The present procedure for Mobile Banking transactions in India is as follows:-

    A customer needs to purchase an item worth Rs 200. The customer asks for the outlet owners bank account number. The customer sends a message from the mobile phone with the

    following code -*543*123*(the outlets bank account

    number)*200*(Amount) Customers 10- digit Pin code#

    The SMS is sent to the bank. Instantly the amount is debited from the customers account. In order to confirm the transaction the bank sends an SMS to

    the Customer stating that Rs. 200 has been debited from the

    account.

  • 8/7/2019 THE LAW AND TECHNOLOGY OF DIGITAL SIGNATURES IN INDIA

    24/26

    The given scenario doesnt ensure authenticity, confidentiality, integrity or non

    repudiation and hence is not secure at all. If the device gets stolen anyone can

    misuse the facility and hence there is a need to secure these transactions . The

    mobile signature is created by typing a secret code (i.e. your signing PIN) into the

    signing device (for example: your mobile phone). This secret code in combination

    with your key storage token (for example: SIM card) and a chosen text triggers a

    cryptographic algorithm to generate the (digital) signature. The Indian Government

    has come up with a discussion paper which discusses Mobile signatures, its

    applicability in India and the position in different countries.

  • 8/7/2019 THE LAW AND TECHNOLOGY OF DIGITAL SIGNATURES IN INDIA

    25/26

    CONCLUSION

    With the growth of technology the use of internet has gone through serious

    changes. All transactions are carried on the internet and it is being used as the most

    efficient and trouble free mode of conducting business, be it tax returns, patent

    filing, electronic banking and almost all transactions which took hours to complete

    manually can just be completed with the help of a click in minimal time. However

    as the online transactions increase the issue of authenticity has also been a factor to

    consider. Keeping this in mind the concept of digital signatures was introduced in

    India. The concept though initially was not very well accepted in the industry

    however with the increase in the amount of transactions that are being performedon the internet the laws have been liberalized a little bit to include these

    instruments for almost all kind of transactions. Though a welcome step to

    encourage electronic commerce and at the same time ensure authenticity, presents

    in front of us certain issues which are as follows;

    1. Digital signature essentially is a technology specific instrument which hasbecause of its technical complexities not been received well in the

    industry. The recent amendments in the Information Technology Act have

    substituted the words electronic signatures in place of digital signatures.

    The attempt is to make it more technology neutral and stating that digital

    signatures are one class of electronic signatures. However the absurdity in

    the Act can be viewed from the instance that the words electronic

    signatures have not been substituted evenly throughout the Act.

    2. As there has been an increase in the use of digital signatures the need ofthe hour is to educate and impart awareness to people regarding the use of

    digital signatures.

  • 8/7/2019 THE LAW AND TECHNOLOGY OF DIGITAL SIGNATURES IN INDIA

    26/26

    3. Verification of digital signatures is an important procedure forestablishing evidence in the court of law. The procedure again is very

    complex technically and it is required that a process which is more

    flexible and easily understood should be adopted.

    4. A concern that may creep up with the passage of time is the overdependence on digital signatures as a means to authenticate and validate

    electronic transactions and the question if we have any other means of

    authentication of electronic transactions. The reason for this concern apart

    from digital signatures being technology specific is that they are

    expensive in terms of establishing and utilizing certifying authorities.

    As has always been the case with technology, it is extremely difficult to prepare a

    regulatory framework that aptly corresponds to the changes in technology. In case

    of digital signatures the recent amendments must be lauded for making changes

    that lessen the technical complexities and encourage the use of digital signatures in

    carrying out electronic transactions.