ASSIGNMENT OF

INFORMATION TECHNOLOGY LAWS

TOPIC: DUTIES OF SUBSCRIBERS

(SECTION 40-42)

1|Page
 INTRODUCTION
The introduction of signatures has provided a definite identity to the individuals and allowed
the corporate sector and other individuals to function in a manner faster, keeping pace with
the ongoing technology. The signatures have by far played a huge role in individual’s
decision making and enabling consent at a much larger value. In olden times, every
individual or the authorised signatory had to go through the document entirely and then
provide his assent. This created enough hurdles amongst the organisations to keep up with the
pace of the signatory and revolve around his/her timeline. Authorised Signatory may not be at
a particular place and still allow his assent.

CONCEPT OF DIGITAL SIGNATURES AND

ELECTRONIC SIGNATURES

Digital signature has been defined under Section 2(1)(p) of the Information Technology
Act, 2000.

Digital signature is a special type of electronic signature which involves specific technology
and provides greater assurance of a documents authenticity and integrity than any other form
of electronic signature. It is technology specific and involves use of asymmetric cryptography
to affix signature where private key encrypts the electronic record to convert it into illegible
form which provides greater assurance of a documents authenticity and integrity than any
other form of electronic signature. It can be verified by anyone by using the public key of the
subscriber without the need for proprietary verification software.

Electronic Signature has been defined under Sec 2 (ta) of Information Technology Act
2000 .

“Authentication of any electronic record by a subscriber by means of the electronic technique

specified in the second schedule and includes digital signature.

Electronic signature is a wider term it includes digital signature also. It is technology neutral.
Verifying an Electronic signature does require same name, number, code, sound, fingerprint
or any other technique used as electronic signature( proprietary verification certificate) by
the sender.

2|Page
 UNCITRAL MODEL LAW ON ELECTRONIC
SIGNATURES 2001

The purpose of UNCITRAL Model Law on Electronic Signatures 2001 provides the
following statement which signifies the importance of electronic signature.

“The increased use of electronic authentication techniques as substitutes for handwritten

signatures and other traditional authentication procedures has suggested the need for a
specific legal framework to reduce uncertainty as to the legal effect that may result from the
use of such modern techniques (which may be referred to generally as “electronic
signatures”). The risk that diverging legislative approaches be taken in various countries with
respect to electronic signatures calls for uniform legislative provisions to establish the basic
rules of what is inherently an international phenomenon, where legal harmony as well as
technical interoperability is a desirable objective.”

DIGITAL SIGNATURE CERTIFICATE (DSC)

A method to prove the authenticity of an electronic document. It can be presented

electronically to prove the identity, to access information or sign certain documents digitally.
The Central Government has appointed a Controller of Certifying Authorities who grants a
license to the Certifying Authorities to issue digital signature certificates to the subscriber. 

WHO NEEDS A DIGITAL SIGNATURE CERTIFICATE

A vendor and a bidder

A Chartered Accountant

Banks

Other Authorized Signatories 

A Company Secretary

Director of a company

3|Page
 TYPES OF CERTIFICATE

Only Sign Encrypt Sign along with Encryption

 Only Sign– It could only be used for signing a document. It is widely used in signing
PDF Files for the purpose of filing Tax Returns for usage as an attachment for
Ministry Of Corporate Affairs or other government websites
 Encrypt–  It is used to encrypt a particular document. It is popularly used in tender
portals to help a company encrypt a document before uploading it.
 Sign along with Encryption– It is used for both signing and encrypting a particular
document.

SUBSCRIBER [SECTION 2(1)(ZG)]

The law provides that electronic signature or digital signature must be affixed to an
electronic record. The only subscriber can affix an electronic signature or digital signature to
the electronic record. Under the Information Technology Act, 2000 licenced Certifying
Authority issues electronic signature certificate/digital signature certificate to a subscriber.
Any subscriber who is having Electronic Signature Certificate/Digital Signature Certificate
can digitally sign the electronic record. However, subscriber, as mentioned under Section
2(1)(zg), means a person in whose name the Electronic Signature Certificate is issued.

PROCEDURE IN BECOMING A SUBSCRIBER

4|Page
 Apply to the Local Registration Authority of a licenced Certifying Authority in a prescribed application form for granting Digital Signature Certificate or Electronic
Signature Certificate.

Select the particular class of certificates in which the applicant is interested

Enter into an agreement with the Local Registration Authority

Generate a key pair in a secure medium and prove the possession of a private key corresponding to the
public key

The Local Registration Authority shall forward the application to licenced Certifying
Authority

The Local Registration Authority shall forication to licenced

Certifying Authority.

If he is satisfied after reviewing the

documents that the applicant is genuine and
application is under the provisions of law..
Now the licenced
Certifying Authority
shall generate Digital
Signature Certificate

DUTIES OF SUBSCRIBER

Generating key pair (Section 40)

Duties of the subscriber of

Electronic Signature Certificate
(Section 40A)

Acceptance of Digital Signature

Certificate (Section 41)

Control of private key (Section

42]

Generating key pair (Section 40)

5|Page
 The first important duty of the subscriber is to generate a key pair. It is provided under the
Act that where any Digital Signature Certificate, the public key of which corresponds to the
private key of that subscriber which is to be listed in the Digital Signature Certificate has
been accepted by a subscriber, the subscriber shall generate that key pair by applying the
security procedure.

It is important to note that a digital signature certificate involves a key pair i.e. public key and
private key. The private key is to be used for affixing a digital signature by the subscriber
whereas the public key is for verification of the digital signature. However, it is the duty of
the subscriber, to whom Digital Signature Certificate has been issued to generate this key pair
or it can be generated by the Certifying Authority on a key generation system in the presence
of subscribers. But that key pair must be accepted by the subscriber. However, the key
generation process shall generate statistically random key values which are resistant to known
attacks. Further, it is important to note that single and double key pairs are issued by the CA.

Key change [Rule 19(2) of The Information Technology (certifying authorities) Rules,
2000 and para 21.1 of security guidelines for Certifying Authority]: Regarding key
change, it is provided that:

Certifying authority and subscriber keys shall be changed periodically. A key change shall be
processed as per key generation guidelines. The certifying authority shall provide reasonable
notice to the subscribers, relying on the party, of any change of a new key pair used by the
Certifying Authority to sign Digital Signature Certificate. The certifying authority shall
define its key change process that interlocks such as signing a hash of the new key with the
old key.

The period of keys (Rule 19(2) of The Information Technology (Certifying Authority]
Rules, 2000 and para 21.1 of security guidelines for the Certifying Authority]:

It is important to note that all keys have a period of not more than 5 years. However, the
suggested validity period are

 5 years in case of certifying authorities' root key and associated certificates.

 3 years in case of subscriber digital signature certificate key (public key).
 2 years in case of certifying authorities' private signing key.
 3 years in case of subscriber private key.

Duties of the subscriber of Electronic Signature Certificate (Section 40A)

6|Page
In respect of the Electronic Signature Certificate, the subscriber shall perform such duties as
may be prescribed.

Acceptance of Digital Signature Certificate (Section 41)

This duty of accepting the Digital Signature Certificate is considered to be the most important
duty of the subscriber because unless he has accepted the Digital Signature Certificate, he
cannot digitally sign the E-record. However, a subscriber shall be deemed to have accepted a
Digital Signature Certificate if he publishes or authorizes the publication of Digital Signature
Certificate:

 To one or more persons;

 In a repository; or
 Otherwise demonstrates his approval of the Digital Signature Certificate in any
manner.

By accepting a Digital Signature Certificate, the subscriber certifies to all who reasonably
rely on the information contained in the Digital Signature Certificate that:

 The subscriber holds the private key corresponding to the public key listed in the
Digital Signature Certificate and is entitled to hold the same;
 All representations made by the subscriber to the Certifying Authority and all material
relevant to the information contained in the Digital Signature Certificate are true;
 All information in the Digital Signature Certificate, which is within the knowledge of
the subscriber, is true.

Control of private key (Section 42]

Another important duty of the subscriber is to have control over his private key. It is provided
under the Act that every subscriber shall exercise reasonable care to retain control of the
private key corresponding to the public key listed in his Digital Signature Certificate and take
all steps to prevent its disclosure. If the private key corresponding to the public key listed in
the Digital Signature Certificate has been compromised, then, the subscriber shall
communicate the same without any delay to the Certifying Authority in such manner as may
be specified by the regulations.

COMPROMISE OF DIGITAL SIGNATURE

CERTIFICATE (RULE 28) OF THE INFORMATION

7|Page
 TECHNOLOGY (CERTIFYING AUTHORITIES)
RULES,2000

1. Where any operational or functional digital signature certificate, which is in use,

becomes compromised then it shall be revoked under the procedure defined in the
Certification Practice Statement of Certifying Authority. However, a Digital Signature
Certificate shall:
 Be deemed to be compromised where the integrity of the private key associated with
the Digital Signature Certificate is in doubt;
 The Digital Signature Certificate owner is in doubt, as to the use, or attempted use of
his key pairs, or otherwise, for malicious or unlawful purposes;
2. Remain in the compromised state for only such time as it takes to arrange for
revocation.

Key compromise [Rule 19(2 of The Information Technology (certifying authorities)

Rules, 2000 and para 21.3 of security guidelines for Certifying Authority]:

 A procedure shall be pre-established to handle cases where a compromise of

certifying authority's digital signature private key has occurred. In such a case, the
certifying authority shall immediately revoke all affected Digital Signature
Certificates.
 The certifying authority should immediately revoke the affected keys and the digital
signature certificate in case of a compromise of the private key of subscribers.
 The certifying authority's private key shall be archived permanently to facilitate audit
or investigation requirements.
 The archives of certifying authority's public key shall be protected from unauthorized
modification.

Therefore, the duties of the subscriber under Section 40-42 of Information Technology
Act, 2000 read with Rules and Regulations are the following:

 To generate a key pair on a secure medium as specified in certifying

authority's CPS.
 To provide the correct information about any error, omission, or
misrepresentation in the application.
 To use the certificate for authorized purposes as mentioned in the CPS.
 To accept the digital signature certificate generated by certifying authority
when given information in the application is true,
 To protect the private key in a secure medium.
 To notify any change in the information mentioned in the subscriber's Digital
Signature Certificate that shall make such information inaccurate or
misleading.

CONCLUSION
8|Page
Subscriber is a person to whom Electronic Signature Certificates/ Digital Signature
Certificate is issued by the Certifying Authority. Subscriber can affix an electronic signature
or digital signature to the electronic record.. Any subscriber who is having Electronic
Signature Certificate/Digital Signature Certificate can digitally sign the electronic record. His
main function is to generate key pairs, accepting key pairs, control the key pair and where his
key is compromised he must follow the procedure mentioned under the law to inform the
Certifying Authority.

9|Page