In Person: Digital Certificates
'e-Governance presents lots of potential for Digital Certificates'

SafeScrypt, a wholly owned subsidiary of Satyam Infoway, and an affiliate of Verisign, became the first Indian CA for digital signatures in February 2002. SafeScrypt's Managing Director, K. Dasaratharaman comments about the acceptability of Digital Certificates in India. And Scott Khan, Regional Director, Verisign Hong Kong, talks about emerging applications. by Brian Pereira

Scott Kahn, Regional Director, VeriSign Inc., and K Dasaratharaman, Managing Director, SafeScrypt Limited

What have been your achievements so far?
Dasaratharaman: We got our license in Feb (2002) from the Indian government (Controller of Certifying Authorities, Ministry of IT). We've always felt that our business model would make more sense with this license. Under the IT Act 2000 we are now licensed to issue digital certificates that will have legal validity. So we became facilitators of e-commerce and electronic transactions. So far we have issued a few thousand certificates. We've got signature clients who are leaders in their respective industries. Our clientele includes Infosys (for safe messaging), L&T (for a workflow documentation), IGNOU and DOEACC (education); ICICI WebTrade (digital signatures for contract notes), NSE-IT (contract note selection and also joint development of an application for a PKI-enabled product for brokers); BHEL (a vendor management system). We have over 500 clients for Web server certificates. We also have at least 50 serious proposals that are in various stages of getting finalized.

The Indian IT Act 2000 has granted digitally signed statements the same status as physically signed documents in a court of law. How have public sector and private companies responded to this?
Dasaratharaman: Most of our clients wanted legally valid certificates. The applications used by enterprises are all serious business applications. For example as per SEBI guidelines, contract note signing is mandatory for stock trading. The sector that presents tremendous opportunity for this is e-governance. We see a huge number of applications emerging. The signature applications are e-procurement, land records across states, and treasury management. These are the signature applications that most state governments are looking at.

I think we will start seeing the first pilots this year, and more deployments on a large scale during 2004.
What is the procedure for getting a digital certificate? What about the cost?
Dasaratharaman: Once the physical validation (paper work) is through, the actual process of enrolment can be done online. For a consumer certificate, the individual goes to our website (www.safescrypt.com) and downloads the certificate. A corporate user may also register at our website. We will then validate that user by checking with the system administrator in his respective company. Then we send an e-mail back to the applicant asking him to go to our site and download his certificate. This can be done within a working day. A certificate can cost less than Rs 100 to several thousand rupees. It depends on the class of certificate and the number of certificates required. Then there is a consulting cost (for enterprises).

Which are the verticals you are targeting here?
Dasaratharaman: It will be financial services, government, and private enterprise. The mobile (telecom) sector also has potential but we are waiting for penetration to increase, especially in smaller towns and cities. Someday users will store their certificates in their phone rather than in the browser or smart card.

When do you see Digital Certificates moving on to credit cards as a means of validating the owner of the card?
Dasaratharaman: The credit card company will have to move onto this platform. Their complete acceptance infrastructure technology will have to work on PKI. Secondly, the acceptance infrastructure of over 100,000 merchants in India will have to change. All the merchant terminals will need to be adapted/modified to accept the digital signatures. It's got to take the signature, transmit it for validation, and receive the validation/rejection. So there's a backend and client component for this. Thirdly, we need a PIN to protect the key. So, one will require the digital signature (in the card) and also the PIN for authentication. This prevents misuse of the card in the event of theft.

Scott: In Singapore, Visa is considering adding digital certificates on ATM cards. They are also looking at a certificate-based smart card application where they are driving down the price of smart cards. They've got crypto and non-crypto versions. Many ATM machines are already ready to accept signatures. Governments around the world have implemented a national ID card. In the near future this card will have a chip on it. And they are all going to come with digital certificates. Multi-purpose cards will be used by governments and financial institutions. These will be used for your tax filing, as immigration cards, as credit cards, as ATM cards etc. Over the next couple of years everyone is going to use these.

On the PKI front, there are many players and lack of standardization. Is this slowing down its adoption for
e-commerce?
Scott: There are many articles that say PKI has not really taken off today. But I see more companies investing in this technology. The reason is that now there are applications for this. The biggest problem for people to implement this technology is that there have been few applications that can accept certificates. So now the vendors are allowing certificate users and the companies are moving in the direction of PKI.

Dasaratharaman: In order for this technology to be more widely used you need a legal framework (that we now have in India), payment acceptance infrastructures (the regulatory bodies RBI and SEBI are getting interested). The banks are enabling their payment gateways to accept digital signatures. The moment the concept of e-wallet becomes reality there is e-money available. Governments are getting interested and citizens are looking at these services. So unless all this happens, PKI will not take off. Because PKI is in the area of trust, people will take time to switch their locus of trust from one technology to another. The banks have got to trust the public networks and realize that these are cheap, effective and secure (with technologies like VPN). The shift will happen as bandwidth becomes more affordable and more services become available. These are many pieces of the jigsaw puzzle that PKI depends on.

Has consumer confidence for credit card transactions on the Net increased?
Dasaratharaman: Unless the site has a back-to-back secure connection with the payment gateway, it's not secure. Payment gateways are important enablers of e-commerce.

Scott: I think more people are going to use their credit card for online shopping and it's up to the credit card companies and banks to make transactions more secure.

Can you tell us something about the servers on which the public keys are stored?
Dasaratharaman: The Controller of Certifying Authorities has set up a national repository for storing all certificates (that contain the public key), which every CA issues. There is another system: every CA maintains its own repository for all the certificates that it issues. Also, when users exchange e-mail, their certificates are also automatically stored on each other's computers.

What is your strategy for India and future plans?
Dasaratharaman: We believe that revenues will come from three or four streams. One is enterprise solutions, Web server certificates, consulting, and development of products (that need signatures). We also believe that there is a training market for PKI. We aggressively follow our partner's strategy.

Brian Pereira can be reached at brianp@networkmagazineindia.com