Misconceptions About Electronic Signature
During the recent discussions with several
informed members of the public, there appeared to be widely
prevailing misconception about the provision of Section 3A of
ITA 2008 regarding "Electronic Signatures".
It appears that people have misinterpreted
the term "Electronic Signature" to mean any form of
authentication other than "Digital Signatures". Some are
speaking as if "Click Wrap" agreements will now be recognized.
Some Bankers are on the prowl to seize any opportunity to get
the 2-Factor authentication itself as digital signature as they
tried during the G Gopalakrishna Working Group discussions.
In notifying the Section 43A and Sec 79
rules, the Government has shown that it can try to introduce
legislations which are ultra vires the Act and draft the
notifications in such a way that it can be misleading and
misinterpreted as to its convenience. I was alarmed by the
revelation that even some organizations such as the PKI forum
seem to hold a view which may not be fully correct.
Let's therefore explore this new
section introduced in ITA 2008 a little more in detail.
Sec 3A:
Electronic Signature
(1)
Notwithstanding
anything contained in section 3, but subject to the
provisions of sub-section (2), a subscriber nay authenticate
any electronic record by such electronic signature or
electronic authentication technique which-
(a) is
considered reliable ; and
(b) may
be specified in the Second Schedule
(2) For
the purposes of this section any electronic signature or
electronic authentication technique shall be considered
reliable if-
(a) the
signature creation data or the authentication data are,
within the context in which they are used, linked to the
signatory or , as the case may be, the authenticator and of
no other person;
(b) the
signature creation data or the authentication data were, at
the time of signing, under the control of the signatory or,
as the case may be,the authenticator and of no other person;
(c) any
alteration to the electronic signature made after affixing
such signature is detectable
(d) any
alteration to the information made after its authentication
by electronic signature is detectable; and
(e) it
fulfills such other conditions which may be prescribed.
(3) The
Central Government may prescribe the procedure for the
purpose of ascertaining whether electronic signature is that
of the person by whom it is purported to have been affixed
or authenticated
(4) The
Central Government may, by notification in the Official
Gazette, add to or omit any electronic signature or
electronic authentication technique and the procedure for
affixing such signature from the second schedule;
Provided
that no electronic signature or authentication technique
shall be specified in the Second Schedule unless such
signature or technique is reliable
(5)
Every notification issued under sub-section (4) shall be
laid before each House of Parliament
It is clear from the above that
GOI in trying to make the authentication system
"Technology Neutral" introduced Section 3A as an "Enabling
Provision" so that new technologies as and when available can be
used to define additional methods of authentication.
It is however necessary
that such a new technology needs to be codified into the CPS of
a licensed Certifying authority and Gazette Notified to be added
into Schedule II of ITA 2008.
Before such an approval can
be given first by the CCA and then by the Parliament, it is
necessary for the electronic signature system to satisfy the sub
section (2) of Section 3A.
If the Government tries to
introduce any notification which is not in accordance with sub
section (2) of Section 3A, it is likely to be questioned in
Courts. The fact that the rules of April 11, 2011 is being
challenged both in the Courts as well as in the Parliament
itself should be a pointer for the DIT to avoid another
confrontation which may lead to the questioning of all the
amendments passed in a hurry in the Parliament without any
debate.
The first criteria to be
satisfied by an "Electronic Signature" is that it should create
a "Signature Creation Data" and link it to the signatory in such
a manner that the linkage is unique and may be proved as not
being linked to any other person.
Secondly, such data should
be under the control of the signatory and no body else at the
time of signing.
These two criteria
correspond to the use of Private key in the encryption of the
hash value in the current system of digital signature.
The third criteria to be
fulfilled is that any alteration to the electronic signature (We
suppose this should mean the document beign authenticated) made
after affixing such signature is detectable.
This criterion corresponds
the functionality of the "hash Algorithm" used in the digital
signature system.
Additionally if any other
conditions are prescribed, they also shall be fulfilled.
It is clear from the above
that for any authentication system to be considered as
"Electronic Signature", it must have the two properties
represented by the hashing and asymmetric crypto system. There
must be a mechanism to identify any change of data after the
signature is affixed and some data exclusively under the control
of the signer should be part of the signature.
At present there does not
seem to be any known technology of this type anywhere in the
world other than the PKI based digital signature system. Hence
the possibility of any other system being considered as
"Electronic Signature" in replacement of digital signature is
remote.
The Click Wrap system does
not fulfill any of the three conditions mentioned above. Even
the SSL system does not satisfy the conditions as the signer is
not in control of the exclusive "key". The two factor
authentication including those which use mobile devices
donot conform to any of these requirements.
If any person is under the
illusion that there are legally accepted form of authentication
to the electronic documents as an alternative to digital
signatures, they are of course mistaken.
However due to the peculiar
decision given by the Adjudicator of Karnataka in one of the
judgments, even the validity of digital signatures as a form of
legally accepted authentication becomes legally questionable.
CCA has not been able to take steps to annul the decision of the
Adjudicator and DIT by not appointing a presiding officer for
the CAT has prolonged the crisis of authentication unmindful of
the consequences on the public.
Related Article:
Naavi
April 30, 2012
[Comments welcome]
