a wholly owned subsidiary of Satyam Infoway, and an
affiliate of Verisign, became the first Indian CA for
digital signatures in February 2002. SafeScrypt's Managing
Director, K. Dasaratharaman comments about the acceptability
of Digital Certificates in India. And Scott Khan, Regional
Director, Verisign Hong Kong, talks about emerging applications.
by Brian Pereira
Kahn, Regional Director, VeriSign Inc., and K Dasaratharaman,
Managing Director, SafeScrypt Limited
have been your achievements so far?
We got our license in Feb (2002) from the Indian government
(Controller of Certifying Authorities, Ministry of IT).
We've always felt that our business model would make
more sense with this license. Under the IT Act 2000
we are now licensed to issue digital certificates that
will have legal validity. So we became facilitators
of e-commerce and electronic transactions. So
far we have issued a few thousand certificates. We've
got signature clients who are leaders in their respective
industries. Our clientele includes Infosys (for safe
messaging), L&T (for a workflow documentation),
IGNOU and DOEACC (education); ICICI WebTrade (digital
signatures for contract notes), NSE-IT (contract note
selection and also joint development of an application
for a PKI-enabled product for brokers); BHEL (a vendor
management system). We have over 500 clients for Web
server certificates. We also have at least 50 serious
proposals that are in various stages of getting finalized.
The Indian IT Act 2000 has granted digitally signed
statements the same status as physically signed documents
in a court of law. How have public sector and private
companies responded to this?
Most of our clients wanted legally valid certificates.
The applications used by enterprises are all serious
business applications. For example as per SEBI guidelines,
contract note signing is mandatory for stock trading.
sector that presents tremendous opportunity for this
is e-governance. We see a huge number of applications
emerging. The signature applications are e-procurement,
land records across states, and treasury management.
These are the signature applications that most state
governments are looking at.
I think we will start seeing the first pilots this
year, and more deployments on a large scale during 2004.
What is the procedure for getting a digital certificate?
What about the cost?
Once the physical validation (paper work) is through,
the actual process of enrolment can be done online.
For a consumer certificate, the individual goes to our
website (www.safescrypt.com) and downloads the certificate.
A corporate user may also register at our website. We
will then validate that user by checking with the system
administrator in his respective company. Then we send
an e-mail back to the applicant asking him to go to
our site and download his certificate. This can be done
within a working day. A
certificate can cost less than Rs 100 to several thousand
rupees. It depends on the class of certificate and the
number of certificates required. Then there is a consulting
cost (for enterprises).
Which are the verticals you are targeting here?
It will be financial services, government, and private
enterprise. The mobile (telecom) sector also has potential
but we are waiting for penetration to increase, especially
in smaller towns and cities. Someday users will store
their certificates in their phone rather than in the
browser or smart card.
When do you see Digital Certificates moving on to
credit cards as a means of validating the owner of the
The credit card company will have to move onto this
platform. Their complete acceptance infrastructure technology
will have to work on PKI.
Secondly, the acceptance infrastructure of over 100,000
merchants in India will have to change. All the merchant
terminals will need to be adapted/modified to accept
the digital signatures. It's got to take the signature,
transmit it for validation, and receive the validation/rejection.
So there's a backend and client component for this.
we need a PIN to protect the key. So, one will require
the digital signature (in the card) and also the PIN
for authentication. This prevents misuse of the card
in the event of theft.
Scott: In Singapore,
Visa is considering adding digital certificates on ATM
cards. They are also looking at a certificate-based
smart card application where they are driving down the
price of smart cards. They've got crypto and non-crypto
versions. Many ATM machines are already ready to accept
signatures. Governments around the world have implemented
a national ID card. In the near future this card will
have a chip on it. And they are all going to come with
digital certificates. Multi-purpose cards will be used
by governments and financial institutions. These will
be used for your tax filing, as immigration cards, as
credit cards, as ATM cards etc. Over the next couple
of years everyone is going to use these.
On the PKI front, there are many players and lack of
standardization. Is this slowing down its adoption for
Scott: There are
many articles that say PKI has not really taken off
today. But I see more companies investing in this technology.
The reason is that now there are applications for this.
The biggest problem for people to implement this technology
is that there have been few applications that can accept
certificates. So now the vendors are allowing certificate
users and the companies are moving in the direction
In order for this technology to be more widely used
you need a legal framework (that we now have in India),
payment acceptance infrastructures (the regulatory bodies
RBI and SEBI are getting interested). The banks are
enabling their payment gateways to accept digital signatures.
The moment the concept of e-wallet becomes reality there
is e-money available. Governments are getting interested
and citizens are looking at these services. So unless
all this happens, PKI will not take off. Because PKI
is in the area of trust, people will take time to switch
their locus of trust from one technology to another.
The banks have got to trust the public networks and
realize that these are cheap, effective and secure (with
technologies like VPN). The shift will happen as bandwidth
becomes more affordable and more services become available.
These are many pieces of the jigsaw puzzle that PKI
Has consumer confidence for credit card transactions
on the Net increased?
Unless the site has a back-to-back secure connection
with the payment gateway, it's not secure. Payment gateways
are important enablers of e-commerce.
Scott: I think more
people are going to use their credit card for online
shopping and it's up to the credit card companies and
banks to make transactions more secure.
Can you tell us something about the servers on which
the public keys are stored?
Dasaratharaman: The Controller of Certifying Authorities
has set up a national repository for storing all certificates
(that contain the public key), which every CA issues.
There is another system: every CA maintains its own
repository for all the certificates that it issues.
when users exchange e-mail, their certificates are also
automatically stored on each other's computers.
What is your strategy for India and future plans?
Dasaratharaman: We believe that revenues will come from
three or four streams. One is enterprise solutions,
Web server certificates, consulting, and development
of products (that need signatures). We also believe
that there is a training market for PKI. We aggressively
follow our partner's strategy.
Brian Pereira can be reached at email@example.com