Introduction:
The days when paper contracts were authenticated with handwritten signatures and then returned by couriers for ratification are gone, only to learn, after a substantial amount of time, that the whole document was nullified for lost signature are left behind. The innovative use of digital signature solves these issues by collecting legally valid signatures in an immediate and nearly complete way, with only a few clicks from a desktop, laptop, or even cell phone.[1]
Digital signature is a means of the authentication of any electronic record by a subscriber using an electronic method or procedure as laid down in Section 3 of Information Technology Act, 2000 (hereafter referred to as IT Act).[2] Digital signatures are time-saving and ensure efficient workflow especially when the person required to sign is in a different geographical location.
It also helps to save expenses on paper and ink, thus ensuring lesser environmental exploitation.As the risk of duplication or alteration of a digital signature is less, it is considered secure. The signature confirms that the information emanated from the signer and was not altered during transit.
What is a Digital Signature?
A digital signature is a form of electronic signature. It ascertains the validity and credibility of a message using a mathematical algorithm. Digital signature is a means to secure electronic transactions and authenticate electronic records.[3] Section 3 of the IT Act provides for authentication of an electronic signature by use of asymmetric crypto system and hash function which envelop and transfer the initial electronic record into another electronic record. Each private and public key is unique to the subscriber.[4]
Digital signatures are centered on cryptography, asymmetry, or public key, which can meet the need for flourishing e-commerce by not only offering message verification, credibility and non-repudiation, but by also allowing it to be highly scalable. Under the IT Act, the digital signatures are legally valid, so it can be reliably presented in a court of law. Section 5 confers legal recognition of electronic signatures.[5]
An ‘asymmetric crypto-system’ and ‘hash function’ that envelops and converts the original electronic record into another electronic record is used to authenticate the electronic record.[6] The ‘hash function’ uses an algorithm mapping or translation of one sequence of bits into another smaller set.[7] An ‘asymmetric crypto-system’ facilitates to secure key pair of constituting of private key, for creating a digital signature and a public key to verify the digital signature.[8]
Difference between Electronic Signature and Digital Signature
An ‘electronic signature’ is also used for authentication of any electronic record by a subscriber using the electronic technique specified in the Schedule-II of the IT Act including digital signature.[9] The difference between a digital signature and an electronic signature is that the former is the sub-set of the latter. The IT Act before the 2008 amendment provided only for digital signature as an authentication tool for electronic record, however with the addition of Section 3A in 2008, any other electronic signature or authentication technique specified in Schedule-II may be used.[10]
The 2008 amendment has introduced a variety of choices to the subscribers to use electronic signatures leading toward technology neutrality thereby providing equal legal basis to all forms of electronic authentication. So, currently the term ‘digital signature certificate’ is replaced with ‘electronic signature certificate’ issued under Section 35 however the characteristics, purpose, and features of both remain the same. Biometric signature, password, digital signature, PIN, encryption application are some examples of electronic signature.
What is a Digital Signature Certificate?
A digital signature certificate firmly unites the identity of the subscriber. Digital certificates help validate the certificate holder. They contain the sender’s public key and are signed by the certifying authority digitally.[11] The IT Act defines a digital signature certificate as a certificate issued under Section 35(4).[12] A digital signature certificate is issued with an expiry date and it cannot be renewed or re-used after such date,[13] however a new certificate can be issued.[14] Further, the digital signature certificates are required to be retained by the certifying authority for seven years after its expiration.[15]
A digital signature certificate acts as a trusted third party that officially verifies and confirms the identity of subscribers and their relationship with their public key. Thus this certificate aids in making the process of digital signature more transparent and reliable. A subscriber is such person whose public key the certificate identifies.[16] Such a certificate contains the name of the subscriber, signature algorithm, public key information of the subscriber, and the validity period.[17] These certificates are retained in the online publicly accessible repository.
Digital signature certificates may be for individuals, servers, and encryption purposes. Individual Digital signature certificates are used to identify a person, Server DSCs are required to identify a server and the Encryption Digital signature certificates are applicable to encrypt the message.[18]
Steps to obtain the Digital Signature Certificate
- The subscriber requires making an application to the certifying authority.
- The certifying authority will verify the identity and information provided by the subscriber and then issue the certificate.
- The certifying authority will be required to forward the certificate to the repository for public record.
- Further, the subscriber is required to digitally sign the electronic message with the private key to ensure the identity of the sender, the reliability of the message, and then it is sent to the relying party.
- The relying party after receiving the message is required to verify the digital signature with the public key of the subscriber, further it goes to a repository for confirming its status and validity.
- Lastly, the repository runs a status check on the certificate of the subscriber and informs back to the relying party.
The certifying authority can also reject the application and refuse to issue the certificate provided that a reasonable opportunity is provided to the applicant to show cause against such rejection.[19]
Various Classes of Digital Signature Certificates
Section 35(1) of the IT Act entitles any person to apply to the certifying authority for the issuance of the certificate. Sub-section (2) provides for different categories of fees for different classes of applications. Further, every application made to the certifying authority must be accompanied by a certificate practice statement.[20] Based on the application and assurance level needed digital signature certificates can be classified into the following classes-
Class 1 Certificate:
Class 1 certificates are issued to individuals or private subscribers primarily employed by banks and financial institutions. Employers can use Class 1 certificates when dealing with employees. It validates the user’s name and the user’s email address from an explicit subject name on the Certifying Authority repository. During the issuing of Class 1 certificates, the specific standard of assurance common to the electronic world is preserved and users are deemed to be rational when accessing private information.[21]
Class 2 Certificate:
Class 2 certificates are issued to private entities as well as to business officials where there are mild risks and the occurrence of data breaches. Class 2 certificates may be used for the electronic reporting of sales tax, income tax, etc. The application and supporting documentation must be sent both online and offline, but there must be no personal presence until the registration authority is allowed to show its identity. These credentials verify the identity of the claimant using well-accepted customer databases.[22]
Class 3 Certificate:
Class 3 certificates are given to organizations, individuals, and servers where a high degree of protection is expected. It is a high certificate of assurance and the physical appearance of the subscriber before the certifying authority is necessary to prove identity. It is provided where there is a high risk of theft, security breach, and privacy risks. These certificates are specifically meant for e-commerce applications such as e-tendering, e-auctions, etc. As per the specifications of the application, the private key and the corresponding public key integrated in the Class 3 certificate must be produced and stored safely. It is essential to have a registered domain name for server certification along with other documentation.[23]
Life Cycle of Digital Signature Certificate
1. Issuance
When the subscriber submits an application to the certifying authority and after such application is approved only then the digital signature certificate can be issued.[24] The application must contain the particulars given under Schedule-IV of the Information Technology (Certifying Authorities) Rules, 2000.[25] It is not allowed to issue an interim digital signature certificate.[26] Generating a certificate involves receipt of the approved and verified request for issuance of such certificate or creating a new certificate. It also binds the key pair associated with the certificate to the owner of the certificate.[27]
A digital signature certificate is issued by a certifying authority,[28] which is a licensed authority entitled to issue such a certificate.[29] Such authority needs to comply with the requirements of Section 35 of the IT Act.[30] The certifying authority while issuing the certificate must necessarily certify that all the information available in the certificate is truthful and it has fulfilled the requirements of the IT Act, its rules and regulations. It must publish the certificate or make it available to the person relying on it or the acceptance of the subscriber.[31]
Section 36 of the IT Act specifically provides that a Certifying Authority while issuing a digital signature certificate compulsorily need to certify that:
- It has complied with the provisions of the IT Act and with other rules and regulations. It should also publish the certificate or otherwise make it available to the individual relying upon it and that the subscriber accepted it; [Section 36 (a)]
- The subscriber owns the private key corresponding to the public key set out in the certificate; [Section 36 (b)]
- The subscriber owns a private key capable of generating a digital signature; [Section 36 (c)]
- The public key to be used in the certificate may be used to validate the digital signature affixed to the private key held by the subscriber; [Section 36 (ca)]
- The public key and the private key of the subscriber constitute a working key pair; [Section 36 (cb)]
- The details provided in the certificate is accurate; [Section 36 (d)]
- It has no knowledge of any material fact which, if included in the certificate, would adversely affect the reliability of the representations made under clause (a) to (d).[32]
2. Acceptance
Accepting the digital signature certificate signifies that the subscriber certifies to all persons who reasonably rely on the information disclosed in such certificate that all representation made by the subscriber to the authority and information included in the certificate is true and within the knowledge of subscriber; that the subscriber holds the private key corresponding to the public key listed in the Digital Signature Certificate and is entitled to hold the same.[33] The acceptance is deemed to be made if the subscriber publishes or is authorized to publish the certificate to any person or in repository or otherwise signifies his approval.[34]
3. Suspension
The certifying authority also has the power to suspend the certificate on the request of any subscriber enlisted in the certificate or any other authorized to act on behalf of such subscriber or if the certifying authority considers that suspension is necessary in public interest.[35] However, such suspension cannot exceed 15 days without hearing the subscriber.[36] Furthermore, communication of such suspension to the subscriber is a must.[37] The certifying authority is required to publish a notice of suspicion in the repository mentioned in the certificate.[38]
4. Revocation
The certifying authority may also revoke the certificate on the request of any of the subscriber or any person authorized by the subscriber or on the death of the subscriber or in case the subscriber is a company or firm then upon the dissolution of such company or firm.[39] In addition to this, the certificate can also be revoked if in the opinion of the certifying authority a material fact embodied in the certificate is untrue or has been concealed or when a pre-requisite to issue the certificate has not been fulfilled or if the security system of the certifying authority was compromised resulting into lack of reliability of the issued certificate or when the subscribe is declared insolvent.[40] Providing an opportunity to the subscriber before revoking the certificate is necessary[41] and the communication of revocation is also essential.[42] The certifying authority is required to publish a notice of revocation in the concerned repository.[43]
Offenses Related to Digital Signature Certificate
1. Section 71 of the IT Act
In case of any misrepresentation or concealment of a material fact from the controller or certifying authority for obtaining the certificate is punishable with two years of imprisonment or a fine extendable with one lakh rupee or both.[44]
2. Section 73 of the IT Act
This Section provides for imprisonment upto two years or a fine of one lakh rupees or both. Such penalty is imposed in the following situations-
- When the person with knowledge that the certifying authority listed in the certificate has not issued it publishes the certificate;
- When such person knows that the subscriber listed have not accepted the certificate, and still publishes it;
- When the published certificate has been revoked or suspended.[45]
3. Section 74 of the IT Act
If a person knowingly publishes or makes available an electronic signature certificate for any fraudulent or unlawful purpose, then this Section provided for imprisonment upto two years or a fine of one lakh rupees or both.[46]
Conclusion
This article briefly mentions some legal provisions regarding digital signature and digital signature certificates. The article also dealt with various classes of certificates. Therefore, it can be logically concluded that the digital signature certificate is the digital equivalent to a tangible or paper-based certificate. A digital signature or digital signature certificate is a mathematical scheme to show the validity of a digital message or document. Digital signature certificates protect electronic transactions and validate the identity of the certificate holder. In addition to this, the certifying authority is endowed with the responsibility to issue the digital signature certificate. Thus the prominence of electronic mediums is increasing and to keep accountability of such mediums various legal frameworks are being brought into force.
References:
[1] Anubhav Pandey, How to obtain Digital Signature, Ipleaders, (Jan 10, 2021, 2.30 PM) https://blog.ipleaders.in/digital-signature-steps/#_ftnref3.
[2] Information Technology Act, 2000, Sec 2(1)(p), No. 21, Acts of Parliament, 2000 (India).
[3] Information Technology Act, 2000, Sec 3, No. 21, Acts of Parliament, 2000 (India).
[4] Information Technology Act, 2000, Sec 3, No. 21, Acts of Parliament, 2000 (India).
[5] Information Technology Act, 2000, Sec 5, No. 21, Acts of Parliament, 2000 (India).
[6] Information Technology Act, 2000, Sec 3(2), No. 21, Acts of Parliament, 2000 (India).
[7] Information Technology Act, 2000, Sec 3(2), No. 21, Acts of Parliament, 2000 (India).
[8] Information Technology Act, 2000, Sec 2(f), No. 21, Acts of Parliament, 2000 (India).
[9] Information Technology Act, 2000 Sec 2(1)(ta), No. 21, Acts of Parliament, 2000 (India).
[10] Information Technology Act, 2000, Sec 3A, No. 21, Acts of Parliament, 2000 (India).
[11] Eliza Paul, What is Digital Signature- How it works, Benefits, Objectives, Concept, EMP Trust Blog, (Jan 03, 2021, 10.30PM), https://www.emptrust.com/blog/benefits-of-using-digital-signatures.
[12] Information Technology Act, 2000, Sec 2(1)(q), No. 21, Acts of Parliament, 2000 (India).
[13] Information Technology (Certifying Authorities) Rules, 2000, Rule 26(1), G.S.R. 788(E), Central Government, 2000 (India).
[14] Information Technology (Certifying Authorities) Rules, 2000, Rule 26(2), G.S.R. 788(E), Central Government, 2000 (India).
[15] Information Technology (Certifying Authorities) Rules, 2000, Rule 27, G.S.R. 788(E), Central Government, 2000 (India).
[16] Information Technology (Certifying Authorities) Rules, 2000, Rule 7(e), G.S.R. 788(E), Central Government, 2000 (India).
[17] Information Technology (Certifying Authorities) Rules, 2000, Rule 7, G.S.R. 788(E), Central Government, 2000 (India).
[18] Anubhav Pandey, How to obtain Digital Signature, Ipleaders, (Jan 10, 2021, 2.30 PM) https://blog.ipleaders.in/digital-signature-steps/#_ftnref3.
[19] Information Technology Act, 2000, Sec 35(4), No. 21, Acts of Parliament, 2000 (India).
[20] Information Technology Act, 2000, Sec 35(3), No. 21, Acts of Parliament, 2000 (India).
[21] Guidelines for Usage of Digital Signatures in e-Governance – version 1.0, Department of Information Technology, Ministry of Communications and Information Technology, Government of India, (Jan 21, 2021, 5:10 PM) www.daman.nic.in/downloads/2015/Guideline-for-digital-signature.pdf.
[22] Guidelines for Usage of Digital Signatures in e-Governance – version 1.0, Department of Information Technology, Ministry of Communications and Information Technology, Government of India, (Jan 21, 2021, 5:10 PM) www.daman.nic.in/downloads/2015/Guideline-for-digital-signature.pdf.
[23] Id.
[24] Information Technology (Certifying Authorities) Rules, 2000, Rule 23(a), G.S.R. 788(E), Central Government, 2000 (India).
[25] Information Technology (Certifying Authorities) Rules, 2000, Rule 23(a), G.S.R. 788(E), Central Government, 2000 (India).
[26] Information Technology (Certifying Authorities) Rules, 2000, Rule 23(b), G.S.R. 788(E), Central Government, 2000 (India).
[27] Information Technology (Certifying Authorities) Rules, 2000, Rule 24, G.S.R. 788(E), Central Government, 2000 (India).
[28] Information Technology Act, 2000, Sec 36, No. 21, Acts of Parliament, 2000 (India).
[29] Information Technology Act, 2000, Sec 2(1)(g), No. 21, Acts of Parliament, 2000 (India).
[30] Information Technology (Certifying Authorities) Rules, 2000, Rule 23, G.S.R. 788(E), Central Government, 2000 (India).
[31] Information Technology Act, 2000, Sec 36, No. 21, Acts of Parliament, 2000 (India).
[32] Information Technology Act, 2000, Sec 36, No. 21, Acts of Parliament, 2000 (India).
[33] Information Technology Act, 2000, Sec 41(2), No. 21, Acts of Parliament, 2000 (India).
[34] Information Technology Act, 2000, Sec 41(1), No. 21, Acts of Parliament, 2000 (India).
[35] Information Technology Act, 2000, Sec 37(1), No. 21, Acts of Parliament, 2000 (India).
[36] Information Technology Act, 2000, Sec 37(2), No. 21, Acts of Parliament, 2000 (India).
[37] Information Technology Act, 2000, Sec 37(3), No. 21, Acts of Parliament, 2000 (India).
[38] Information Technology Act, 2000, Sec 39(1), No. 21, Acts of Parliament, 2000 (India).
[39] Information Technology Act, 2000, Sec 38(1), No. 21, Acts of Parliament, 2000 (India).
[40] Information Technology Act, 2000, Sec 38(2), No. 21, Acts of Parliament, 2000 (India).
[41] Information Technology Act, 2000, Sec 38(3), No. 21, Acts of Parliament, 2000 (India).
[42] Information Technology Act, 2000, Sec 38(4), No. 21, Acts of Parliament, 2000 (India).
[43] Information Technology Act, 2000, Sec 39(1), No. 21, Acts of Parliament, 2000 (India).
[44] Information Technology Act, 2000, Sec 71, No. 21, Acts of Parliament, 2000 (India).
[45] Information Technology Act, 2000, Sec 73, No. 21, Acts of Parliament, 2000 (India).
[46] Information Technology Act, 2000, Sec 74, No. 21, Acts of Parliament, 2000 (India).
0 Comments