Home > Cover Story
 Print Friendly Page ||  Email this story

Digital signatures in India

Electronic documents need to be signed to assure recipients of their authenticity, and digital signatures fulfil this need. Dominic K reports

Digital signatures have been in use for quite a while to authenticate various e-commerce and m-commerce transactions. Today, the processes of creating and verifying a digital signature provide a high level of assurance to the involved parties that the e-signature is genuinely the signer’s, and that the electronic document (or the e-contract) is authentic.

As is the case with Electronic Data Interchange (EDI), the process of creating and verifying digital signatures can be completely automated with minimal human interaction. Compared to the tedious and labour-intensive paper methods such as checking specimen signature cards, digital signatures yield a high degree of assurance without adding greatly to the resources required for processing documents.

Ketan Parekh

As a strong believer in the concept, Ketan Parekh, the Chief Technology Officer of Sharekhan says, “Our organisation uses digital signature for applications related to the authorisation of online fund transfers with certain banks. This has helped us authenticate the documentation process that we follow.”

Yet another CIO, Ashok Adhikari, Associate Director of Systems at Aker Kvaerner, is of the opinion that digital signatures bring significant value to his organisation. “The applications are limited to engineering drawings and for e-procurement. Although the use of digital signatures is currently limited to certain applications, we are testing the same and plan to deploy it in a phased manner since I feel that it will facilitate our business processes across the globe.”

A digital foundation of trust

Digital signatures are nothing but a cryptographic (encrypted) signature assurance scheme that lets both parties (sender and receiver) trust an electronic document and treat it as valid and tamper-proof as long as the said document stays in an electronic format.

To get technical, according to ISO/IEC 7498-2, a digital signature is defined as “data appended to, or a cryptographic transformation of a data unit, that allows the recipient of a data unit to prove the source and integrity of the data unit and protect against forgery.”

For individuals

A digital signature involves two components—the public key and the private key. The sender signs a document using his private key that ensures the document’s safety in transit as the text is encrypted and only the sender has access to his private key. Therefore, by signing a document with it, he authenticates that it has originated with him and not been tampered with en route. The recipient of this document uses the sender’s public key to authenticate the encrypted document and to decrypt it into a readable text format.

There are several ways to authenticate a person or the information on a computer. Some of them are password, checksum, CRC (cyclic redundancy check), private key encryption, public key encryption and digital certificate.

Digital certificates for machines

It’s not just individuals who need to be authenticated. Servers need to prove their credentials too. That’s where a digital certificate comes into the picture, ensuring that the information sent to and received from a Web server is authentic, and that the Web server in question can be trusted. It can be trusted since it is verified by an independent source known as a certificate authority. The role of the certificate authority is to ensure that the system on either side can be trusted.

A Certification Authority (CA) issues certificates and stands responsible for them. The CA signs these certificates. This enables users to know which CA created each certificate. The signature also ensures that a third party has not altered or corrupted the certificate at any point of time.

In India, the Indian IT Act authorises the Controller of Certifying Authorities (CCA) to licence and regulate the working of CAs, who, in turn, issue digital signature certificates for electronic authentication of users.

At present, the organisations acting as licenced CAs are the National Informatics Centre, Customs and Central Excise, Institute for Development & Research in Banking Technology, SafeScrypt, Tata Consultancy Services, MTNL and (n)Code Solutions.

It is the responsibility of the CCA to certify the public keys of CAs using its own private key. This enables users in cyberspace to verify that a given certificate is issued by a licenced CA. The Root Certifying Authority of India (RCAI) is the CCA for India. The CCA maintains the National Repository of Digital Certificates (NRDC). This repository contains all the certificates issued by all the CAs in the country.

Classes of digital signatures

These are categorised into three classes. Class one defines the certificates that do not hold any legal validity as the validation process is based only on a valid e-mail ID and involves no direct verification.

The class two category states that a person’s identity is to be verified against a trusted, pre-verified database. Class three requires the person present himself or herself in front of a Registration Authority (RA) and prove his/her identity.

The digital certificate usually contains data such as the owner’s name, company and address, as well as the owner’s public key, along with the certificate’s serial number and validity period. The certificate also includes the certifying company’s ID and its digital signature.

The credit investigation, loan processing, underwriting and document preparation steps can also be done electronically. The borrowers can sign all the loan papers, and the mortgage or trust deed can be notarised over the Internet. Funds can be wire-transferred along with electronic authorisation.

IT Act 2000

The Indian Information Technology Act 2000 (‘Act’) came into effect from October 17, 2000. The Act is by and large based on the United Nations Commission on International Trade Law (UNCITRAL) model law on electronic commerce.

The objective of the Act is to provide for legal recognition of electronic transactions and digital signatures. Section 5 of the Act gives legal recognition to digital signatures. Digital signatures have been legalised in India since 2000. However, since then, hardly any provisions of the Act have been implemented, except for the appointment of the Certifying Authority which took place in 2001.

A long way to go

Although they facilitate many of the desired attributes of electronic commerce—such as speed of transactions and reduced paper-work—digital signatures are still not a widely-accepted concept in India. Because of the technicalities involved this is very much the norm, except in certain cases where the use of digital signatures has been mandated by law, such as filings with the Ministry of Company Affairs.

Though the concept of digital signatures is a powerful tool, it has been difficult to move the concept from theory to reality because of multiple reasons. Some of the reasons include cultural reticence, unequal access to technology, and the lack of an adequate legal and service infrastructure to support such a major shift. In India, paper-based documents continue to be seen as more trustworthy than electronic ones largely because they are tangible and people are used to them.


As Bijesh Thakker, Managing Partner, Thakker & Thakker states, “There are many provisions under the Act, which, although much required, have till date not been implemented. Although statutory recognition is attached to the digital signature, their legal status is yet to be well-defined and interpreted since the validity of digital signatures has not yet been challenged in any Indian court.”

The good thing about digital certificates is that you do not need to buy expensive software to use them. The features needed to support digital certificates are built into operating systems and messaging applications including the ubiquitous Outlook/Outlook Express and Notes/Domino. However, companies deploying this technology will have to buy certificates from a CA, and the pricing varies on the use to which a certificate is put.

Costs vary for the three classes of digital certificates. Class 1 is for e-mail. Class 2 is for forms and electronic contracts. Class 3 is for high-assurance certification such as VPN. Irrespective of the class, pricing is on a per-user basis. For Class 1 it works out to about Rs 500 per user. For Class 2 it is Rs 2,000 to 3,000 per user, and for Class 3 it would be in the range of Rs 3,000 to 4,000 per user. This is one of the reasons why digital signatures are used mostly by large companies.

A Few Provisions of IT Act 2000
  • Legal recognition of digital signatures (section 5). "Where any law provides that information or any other matter shall be authenticated by affixing the signature, or any document should be signed or bear the signature of any person, then, notwithstanding anything contained in such law, such requirement shall be deemed to have been satisfied if such information or matter is authenticated by the means of digital signature affixed in such manner as may be prescribed by the Central Government."
  • Electronic Record (Section 2(1) (t)). "Means data, record or data generated, image or sound stored, received or sent in an electronic form, or microfilm or computer generated micro-fiche."
  • Legal recognition of Electronic Record (section 4). "Where any law provides that the information or any other matter shall be in writing or in typewritten or printed form, then, notwithstanding anything contained in such law, such requirement shall be deemed to have been satisfied if such information or matter is: (a) rendered or made available in an electronic form; and (b) accessible so as to be usable for a subsequent reference."
  • Secure Electronic Record (Section 14). "Where any security procedure has been applied to an electronic record at a specific point of time, then such record shall be deemed to be a secure electronic record from such point of time to the time of verification."
  • Secure Digital Signature (Section 15). "If, by application of a security procedure agreed to by the parties concerned, it can be verified that a digital signature, at the time it was affixed, was: (a) unique to the subscriber affixing it; (b) capable of identifying such subscriber; (c) created in a manner or using a means under the exclusive control of the subscriber and is linked to the electronic record to which it relates in such a manner that if the electronic record was altered the digital signature would be invalidated, then such digital signature shall be deemed to be a secure digital signature."
  • Certifying Authority (Section (2(1)(g)). "Means a person who has been granted a licence to issue a Digital Signature Certificate under section 24" (issuance of certificates by Controller).
  • Treatment of Certification Authorities (Chapter VI). "This Act authorises the Central Government to appoint a Controller of Certifying Authorities. The duties of the Controller are listed under Chapter VI of the Act, and include exercising supervision over the activities of certification authorities and defining the duties of these certification authorities."

Courtesy: Karnika Seth

Towards wider adoption

The adoption of digital signatures in India is still at an early stage. Though the idea of digital signatures appears to be sound, it has not lived up to expectations. At the moment, applications of digital signatures are limited to sectors such as banking and financial services, online stock-trading portals, and engineering conglomerates (to authenticate critical engineering drawings and documents).

The government is still stressing on e-governance as an effective delivery channel of all government services to citizens. This just might provide the much needed push to the adoption of this technology. However, huge resistance is being received from users against the introduction of client-side digital certificates for effective authentication. Till this resistance abates, digital signatures will have to struggle for recognition.

Nevertheless, the trend is catching up, as Ram Babu, Country Head, Technology Solutions at Standard Chartered Bank points out. “I feel that process simplification and modification, and other enablers such as low cost and security, should help Indian enterprises accept the technology and processes involved, and deploy the solution at their end beyond what is currently being used.”