It may look strange that the question "Has MCIT killed the
Digital Signature System in India?" is being raised at a time when MCIT
(Ministry of Communication and Information Technology) may even claim to have
taken some steps to promote use of digital signatures.
Hindu of 14th May
2005 carried an advertisement from Indian Railways about the use of Digital
Signatures in e-procurement procedures and giving out the URL s of SafeScrypt,
TCS, MTNL and (n)code, urged the interested vendors to equip themselves with
digital signatures.
I do not recall another such open promotion of digital
signatures even by the Certifying Authorities themselves. This indicates that
at last the Government has realized that it cannot be promoting non cyber law
compliant systems to proliferate in the e-governance systems as it has been a
practice in all these five years when ITA-2000 has been in force.
Despite these positive developments, it is necessary to
point out certain developments which certainly give scope for raising the
question cited above.
Sections 14, 15 and 16 of ITA-2000 had defined what was
called a Secure Electronic Record, Secure Digital Signature and Security
Procedure. These sections have always been an enigma since Section 15 defining
Secure Digital Signature was fulfilled by the ordinary digital signature
itself and hence the difference sought to be made in this regard between the
secure digital signature and the other digital signature was not perceptible.
Sections 14 and 16 were considered enabling provisions.
These Sections are reproduced below for reference.
| |
14 |
|
Secure Electronic Record |
|
| |
|
|
Where any security procedure
has been applied to an electronic record at a specific point of time, then
such record shall be deemed to be a secure electronic record from such
point of time to the time of verification.
|
|
| |
15 |
|
Secure Digital Signature |
|
| |
|
|
If, by application of a
security procedure agreed to by the parties concerned, it can be verified
that a digital signature, at the lime it was affixed, was -
| (a) |
unique to the subscriber
affixing it; |
| (b) |
capable of identifying
such subscriber; |
| (c) |
created in a manner or
using a means under the exclusive control of the subscriber and is
linked to the electronic record to which it relates in such a manner
that if the electronic record was altered the digital signature
would be invalidated, then such digital signature shall be deemed to
be a secure digital signature. |
|
|
| |
16 |
|
Security procedure |
|
| |
|
|
The Central Government shall
for the purposes of this Act prescribe the security procedure having
regard to commercial circumstances prevailing at the time when the
procedure was used, including
| (a) |
the nature of the
transaction; |
| (b) |
the level of
sophistication of the parties with reference to their technological
capacity; |
| (c) |
the volume of similar
transactions engaged in by other parties; |
| (d) |
the availability of
alternatives offered to but rejected by any party; |
| (e) |
the cost of alternative
procedures; and |
| (f) |
the procedures in general
use for similar types of transactions or communications. |
|
However, through a notification dated October 29 2004, the MCIT sought to bring in the distinction between the Secure Digital Signature
and the other Digital Signature by the following notification.
Extract from Notification Dated October 29, 2004
Secure digital signature.
- A digital signature shall be deemed to be a secure digital
signature for the purposes of the Act if the following procedure has been
applied to it, namely:-
(a) that the smart card or
hardware token, as the case may be, with cryptographic module in it, is used
to create the key pair;
(b) that the private key used to
create the digital signature always remains in the smart card or hardware
token as the case may be;
(c) that the hash of the content
to be signed is taken from the host system to the smart card or hardware
token and the private key is used to create the digital signature and the
signed hash is returned to the host system;
(d) that the information
contained in the smart card or hardware token, as the case may be, is solely
under the control of the person who is purported to have created the digital
signature;
(e) that the digital signature
can be verified by using the public key listed in the Digital Signature
Certificate issued to that person;
(f) that the standards referred
to in rule 6 of the Information Technology (Certifying Authorities) Rules,
2000 have been complied with, in so far as they relate to the creation,
storage and transmission of the digital signature; and
(g) that the digital signature is
linked to the electronic record in such a manner that if the electronic
record was altered the digital signature would be invalidated.
On the face of it this appears to be a very reasonable
provision aimed at introducing more security in to the system.
However, MCIT appears to have lost sight of the fact that
along with ITA-2000, certain amendments were made to the Indian Evidence Act
1872 where in evidentiary value was ascribed to digital signatures. The
notification adversely affects the status of digitally signed electronic
documents in terms of their evidentiary value.
The newly introduced Section 67A of the Indian Evidence Act
stated:
67A: Proof as to digital Signature: Except in the
case of a secure digital signature, if the digital signature of any subscriber
is alleged to an electronic record, the fact that such digital signature is
the digital signature of the subscriber must be proved.
Under this section therefore, all non-secure digital
signatures need to be proved with the person submitting such a document also
ensuring at his cost and responsibility verification of the digital signature as
per Section 73A of the Indian Evidence Act which requires "Some other person
to apply the public key listed in the digital signature certificate and verify
the digital signature purported to have been affixed by that person".
I would request the MCIT to clarify
Whether all Certifying Authorities and the Controller
are maintaining a repository of digital certificates issued and revoked?
Whether the revocation list published are current? and
Complete?
If the repository and revocation lists are incomplete,
not updated and therefore unreliable, is there any means by which a Court can
verify the digital signature?
What could be the additional cost for the person
producing the digitally signed document in a court of law in arranging the
verification?
How do we handle the digital signatures using foreign
digital certificates?
How should the document owner (recipient of a message in
the context of evidence) prove and the court accept
that a document containing a digital signature before it has in fact been
created using a "Secure Procedure" and not otherwise?
The cost of acquiring a digital certificate even under
the present non-secure system is considered high for the common man. Under the
circumstances, has the MCIT estimated what would be the cost of the "Secure
Digital Signature System" for the consumer who has to now acquire either a
smart card with smart card reader or the cryptographic key?
Has MCIT verified if it is possible to use the
cryptographic key in a normal corporate network where we are moving to a "Disk
Less" dumb node system for various reasons. Are USB drives and smart card
readers used in all places to enable use of secure digital signatures?
Are all e-governance systems equipped to use secure
digital signatures? and if not what would be the cost of such transition?
Lastly, are all employees of the MCIT equipped to use
secure digital signatures?..If not how do we expect others and common men to
start using the system since it would be the only system having evidentiary
value without further proof?
It appears that even before the system of digital
signatures can be popularized amongst the common man, MCIT has taken steps to
upgrade the system to a "Secure Digital Signature system" and in the bargain
made it difficult for the existing system to even take root.
I hope the above issues have been taken note of by MCIT and
we will receive a suitable clarification.
Naavi
May 14, 2005
(A copy of this article is being sent to the Minister of
Communications and Information technology as well as the Secretary of MCIT and
the Controller of Certifying Authorities. In case any reply is received, it
will be made available on the site).
Comments
are welcome
