Professional Documents
Culture Documents
Module 2
Module 2
AUTHENTICATION OF
ELECTRONIC RECORDS
MS. KRITI PARASHAR
Contents
UNCITRAL Model Law on Electronic Commerce, and E-signatures (1996 and 2001);
Authentication of records (s.3) Digital signature (functional equivalent of paper based signatures) s.2(1)(p);
Function (confidentiality, authentication, integrity and non-repudiation); Authentication by use of asymmetric
cryptosystem (s.2(1)(f)‘ , Key pair (s.2(1)(x), Public key(2(1)zc), Private key(s.2(1)zd), Hash function (s.3),
Electronic signatures (ss. S.2(1)ta and 3A), Affixing electronic signature S.2(1)(d); Secured electronic record(s.14)
and Secure electronic signature(s.15); s.85B(2)(a),
The Evidence Act, 1872 (Presumptions to electronic record and electronic signatures);
S.67A and 73A the Evidence Act, 1872 (Proof as to electronic signature and proof of verification of digital
signatures)
Public key infrastructure and Hierarchy (ss.17-26); Role of certifying authorities, Electronic signature certificates,
its suspension and revocation (ss.2(tb), 35-42);
Originator, addressee , Attribution, Acknowledgment and Dispatch of Electronic Records -ss. 11-13
UNICTRAL Model Law on E-Commerce
The progressive harmonization and unification of the law of international trade and
in that respect to bear in mind the interests of all peoples, in particular those of
developing countries, in the extensive development of international trade.
Noting that an increasing number of transactions in international trade are carried
out by means of electronic data interchange and other means of communication,
commonly referred to as “electronic commerce”, which involve the use of
alternatives to paper-based methods of communication and storage of information.
Believing that the adoption of the Model Law on Electronic Commerce by the
Commission will assist all States significantly in enhancing their legislation
governing the use of alternatives to paper-based methods of communication and
storage of information and in formulating such legislation where none currently
exists
Applicability
This Law** applies to any kind of information in the form of a data message used
in the context*** of commercial**** activities.
For the purposes of this Law: (a) “Data message” means information generated,
sent, received or stored by electronic, optical or similar means including, but not
limited to, electronic data interchange (EDI), electronic mail, telegram, telex or
telecopy;
The notion of “data message” is not limited to communication but is also intended
to encompass computer-generated records that are not intended for
communication. Thus, the notion of “message” includes the notion of “record”.
Article 3
(1) In the interpretation of this Law, regard is to be had to its international origin
and to the need to promote uniformity in its application and the observance of
good faith.
(2) Questions concerning matters governed by this Law which are not expressly
settled in it are to be settled in conformity with the general principles on which
this Law is based.
Principle of Non-Discrimination
Article 6. Writing (1) Where the law requires information to be in writing, that
requirement is met by a data message if the information contained therein is
accessible so as to be usable for subsequent reference.
(2) Paragraph (1) applies whether the requirement therein is in the form of an
obligation or whether the law simply provides consequences for the information
not being in writing.
(3) The provisions of this article do not apply to the following:
By establishing a principle of non-discrimination, it is to be construed as making
the domestic rules applicable to incorporation by reference in a paper-based
environment equally applicable to incorporation by reference for the purposes of
electronic commerce.
Purpose of Writing
The following nonexhaustive list indicates reasons why national laws require the use
of “writings”: (1) to ensure that there would be tangible evidence of the existence and
nature of the intent of the parties to bind themselves; (2) to help the parties be aware
of the consequences of their entering into a contract; (3) to provide that a document
would be legible by all; (4) to provide that a document would remain unaltered over
time and provide a permanent record of a transaction; (5) to allow for the reproduction
of a document so that each party would hold a copy of the same data; (6) to allow for
the authentication of data by means of a signature; (7) to provide that a document
would be in a form acceptable to public authorities and courts; (8) to finalize the
intent of the author of the “writing” and provide a record of that intent; (9) to allow
for the easy storage of data in a tangible form; (10) to facilitate control and sub-
sequent audit for accounting, tax or regulatory purposes; and (11) to bring legal rights
and obligations into existence in those cases where a “writing” was required for
validity purposes
Accessibility
The use of the word “accessible” is meant to imply that information in the form of
computer data should be readable and interpretable, and that the software that
might be necessary to render such information readable should be retained. The
word “usable” is not intended to cover only human use but also computer
processing. As to the notion of “subsequent reference”, it was preferred to
such notions as “durability” or “non-alterability”, which would have
established too harsh standards, and to such notions as “readability” or
“intelligibility”, which might constitute too subjective criteria.
Signature and original
The requirement that data be presented in written form (which can be described as a “threshold
requirement”) should thus not be confused with more stringent requirements such as “signed writing”,
“signed original” or “authenticated legal act”.
For example, under certain national laws, a written document that is neither dated nor signed,
and the author of which either is not identified in the written document or is identified by a mere
letterhead, would be regarded as a “writing” although it might be of little evidential weight in
the absence of other evidence (e.g., testimony) regarding the authorship of the document.
In addition, the notion of unalterability should not be considered as built into the concept of
writing as an absolute requirement since a “writing” in pencil might still be considered a
“writing” under certain existing legal definitions. Taking into account the way in which such issues
as integrity of the data and protection against fraud are dealt with in a paper-based environment, a
fraudulent document would nonetheless be regarded as a “writing”. In general, notions such as
“evidence” and “intent of the parties to bind themselves” are to be tied to the more general issues of
reliability and authentication of the data and should not be included in the definition of a “writing”.
Requirements as to Signature
Signature (Article 7)
(1) Where the law requires a signature of a person, that requirement is met in relation to a
data message if:
(a) a method is used to identify that person and to indicate that person’s approval of the
information contained in the data message; and
(b) that method is as reliable as was appropriate for the purpose for which the data
message was generated or communicated, in the light of all the circumstances, including
any relevant agreement.
The concept of a signature adopted in that context is such that a stamp, perforation or even
a typewritten signature or a printed letterhead might be regarded as sufficient to fulfil the
signature requirement. At the other end of the spectrum, there exist requirements that
combine the traditional handwritten signature with additional security procedures such as
the confirmation of the signature by witnesses.
Requirements as Regards Original
Original (Article 8)
Where the law requires information to be presented or retained in its original
form, that requirement is met by a data message if:
(a) there exists a reliable assurance as to the integrity of the information from
the time when it was first generated in its final form, as a data message or
otherwise; and
(b) where it is required that information be presented, that information is capable
of being displayed to the person to whom it is to be presented.
Methods for Reliability: Scans and adding term electronic certificate.
Assessing Integrity of Data
For example, where an originator sends an offer in a data message and requests
acknowledgement of receipt, the acknowledgement of receipt simply evidences
that the offer has been received. Whether or not sending that acknowledgement
amounted to accepting the offer is not dealt with by the Model Law but by
contract law outside the Model Law.
For example, where the originator sent a data message which under the agreement
between the parties had to be received by a certain time, and the originator
requested an acknowledgement of receipt, the addressee could not deny the
legal effectiveness of the message simply by withholding the requested
acknowledgement.
Article 15. Time and place of dispatch and
receipt of data messages
A. 15(1). The dispatch of a data message occurs when it enters an information
system outside the control of the originator or of the person who sent the data
message on behalf of the originator.
Time
(2) Unless otherwise agreed between the originator and the addressee, the time of
receipt of a data message is determined as follows: (a) if the addressee has
designated an information system for the purpose of receiving data messages,
receipt occurs: (i) at the time when the data message enters the designated
information system; or (ii) if the data message is sent to an information system of the
addressee that is not the designated information system, at the time when the data
message is retrieved by the addressee; (b) if the addressee has not designated an
information system, receipt occurs when the data message enters an information
system of the addressee.
Place of Business
Place
(4) Unless otherwise agreed between the originator and the addressee, a data
message is deemed to be dispatched at the place where the originator has its
place of business, and is deemed to be received at the place where the
addressee has its place of business.
For the purposes of this paragraph: (a) if the originator or the addressee has more
than one place of business, the place of business is that which has the closest
relationship to the underlying transaction or, where there is no underlying
transaction, the principal place of business; (b) if the originator or the addressee
does not have a place of business, reference is to be made to its habitual
residence.
Article 17
(5) Where one or more data messages are used to effect any action in
subparagraphs (f) and (g) of article 16, no paper document used to effect any
such action is valid unless the use of data messages has been terminated and
replaced by the use of paper documents. A paper document issued in these
circumstances shall contain a statement of such termination. The replacement of
data messages by paper documents shall not affect the rights or obligations of the
parties involved.
Will
Article 12
(1) As between the originator and the addressee of a data message, a declaration
of will or other statement shall not be denied legal effect, validity or enforceability
solely on the grounds that it is in the form of a data message.
Legality of Digital Will or Video Recording of Will in India- Section 68
Indian Evidence Act, 1872 and Section 63 of Indian Evidence Act, 1925.
SAYAR KUMARI VS. STATE AND ORS. (09.10.2009 - DELHC)
he Supreme Court has in State of Maharashtra v. Prafull B. Desai
(2003)
recognized in principle, although in the context of a trial, that
evidence by way of video recording is admissible.
UNICTRAL Model Law on Electronic
Signatures
Mindful of the great utility of new technologies used for personal identification in
electronic commerce and commonly referred to as electronic signatures,
Desiring to build on the fundamental principles underlying article 7 of the Model
Law on Electronic Commerce with respect to the fulfilment of the signature
function in an electronic environment, with a view to promoting reliance on
electronic signatures for producing legal effect where such electronic signatures
are functionally equivalent to handwritten signatures, Convinced that legal
certainty in electronic commerce will be enhanced by the harmonization of certain
rules on the legal recognition of electronic signatures on a technologically neutral
basis and by the establishment of a method to assess in a technologically neutral
manner the practical reliability and the commercial adequacy of electronic
signature techniques
Article 1
This Law applies where electronic signatures are used in the context* of
commercial** activities. It does not override any rule of law intended for the
protection of consumers.
Electronic Signature
(a) “Electronic signature” means data in electronic form in, affixed to or logically
associated with, a data message, which may be used to identify the signatory in
relation to the data message and to indicate the signatory’s approval of the
information contained in the data message;
(b) “Certificate” means a data message or other record confirming the link
between a signatory and signature creation data;
(d) “Signatory” means a person that holds signature creation data and acts either
on its own behalf or on behalf of the person it represents
Article 3. Equal treatment of signature
technologies
Nothing in this Law, except article 5, shall be applied so as to exclude, restrict or
deprive of legal effect any method of creating an electronic signature that
satisfies the requirements referred to in article 6, paragraph 1, or otherwise
meets the requirements of applicable law.
Requirements as Regards Signature
14. Secure electronic record.—Where any security procedure has been applied to an
electronic record at a specific point of time, then such record shall he deemed to be a secure
electronic record from such point of time to the time of verification.
15. Secure electronic signature.—An electronic signature shall be deemed to be a secure
electronic signature if— (i) the signature creation data, at the time of affixing signature,
was under the exclusive control of signatory and no other person; and (ii) the signature
creation data was stored and affixed in such exclusive manner as may be prescribed.
Explanation.–In case of digital signature, the ―signature creation data‖ means the private
key of the subscriber.
16. Security procedures and practices.—The Central Government may, for the purposes of
sections 14 and 15, prescribe the security procedures and practices: Provided that in
prescribing such security procedures and practices, the Central Government shall have
regard to the commercial circumstances, nature of transactions and such other related
factors as it may consider appropriate.
Presumptions to Electronic Record and
Electronic Signature
S.67A and 73A the Evidence Act, 1872 (Proof as to
electronic signature and proof of verification of digital
signatures)
67A. Proof as to electronic signature–– Except in the case of a secure electronic
signature, if the electronic signature of any subscriber is alleged to have been
affixed to an electronic record the fact that such electronic signature is the
electronic signature of the subscriber must be proved.
Burden of Proof is on the signatory in not as per security procedure.
Verification of Digital Signature
Trusted third parties who not only authenticate digital signature but also
dispense public keys.
Section 17. Appointment of Controller and other officers.
Controller of Certifying Authority
Appoint such number of Deputy Controllers, Assistant Controllers, other officers
and employees.
Central Government- Controller-Deputy- Assistant Controllers.
Three wings – Technology, Finance and Legal, Investigation.
Nov 1, 2000 CCA appointed.
Certifying authority has to receive license from the ‘root’ certifying authority
and issuing authority signature can be verified from controller.
PKI system more than the subordinate superior relationship but a set of
policies.
IT (Certifying Authority) Rules, 2000 and IT (Certifying Authority)
Regulations, 2001
Certification Practice Statement read along.
Role of Certifying Authorities
(a) exercising supervision over the activities of the Certifying Authorities; (Half
yearly and quarterly audit and report- Rule 31 of 2000 rules)
(b) certifying public keys of the Certifying Authorities; (Root Certifying
Authority of India to certify all CAs, issue and revoke license- They generate
a public and private key and submit to controller- Rule 20 2001 Rules)
(c) laying down the standards to be maintained by the Certifying Authorities;
(Regulation 4 of 2001- Directory, form and size, certificates, etc.)
(d) specifying the qualifications and experience which employees of the
Certifying Authority should possess;
(e) specifying the conditions subject to which the Certifying Authorities shall
conduct their business;
(f) specifying the contents of written, printed or visual materials and
advertisements that may be distributed or used in respect of a electronic signature
Certificate and the public key; (Absence of guidelines for Electronic
Signatures)
(g) specifying the form and content of a electronic signature Certificate and the
key;
(h) specifying the form and manner in which accounts shall be maintained by the
Certifying Authorities;
(i) specifying the terms and conditions subject to which auditors may be
appointed and the remuneration to be paid to them; (Rule 31 and 32 of the 2000
IT Rules- Auditors check adequacy of security policies, physical security,
Evaluation of functionaries,)
(j) facilitating the establishment of any electronic system by a Certifying Authority either solely or
jointly with other Certifying Authorities and regulation of such systems;
(k) specifying the manner in which the Certifying Authorities shall conduct their dealings with the
subscribers; (Certification Practice Statement)
(l) resolving any conflict of interests between the Certifying Authorities and the subscribers;
(CCA can mediate between CAs and subscribers directly or through arbitrator-Rule 12 IT
Rules, 2000 dispute referred to controller for arbitration or resolution)
A.K.Kriapak v. Union of India ‘Dividing line between administrative and quasi-judicial body is
quite thin and being gradually obliterated. Nature of functions has to be looked into’.
(m) laying down the duties of the Certifying Authorities;
(n) maintaining a data base containing the disclosure record of every Certifying Authority
containing such particulars as may be specified by regulations, which shall be accessible to public.
Controller to issue license
Section 25
(1) The Controller may, if he is satisfied after making such inquiry, as he may think fit, that
a Certifying Authority has—
(a) made a statement in, or in relation to, the application for the issue or renewal of the
licence, which is incorrect or false in material particulars;
(b) failed to comply with the terms and conditions subject to which the licence was granted;
(c) failed to maintain the procedures and standards specified in section 30; (Reliability,
security, repository, publication requirements)
(d) contravened any provisions of this Act, rule, regulation or order made thereunder,
revoke the licence:
Provided that no licence shall be revoked unless the Certifying Authority has been
given a reasonable opportunity of showing cause against the proposed revocation.
Suspension of License
(2) The Controller may, if he has reasonable cause to believe that there is any
ground for revoking a licence under sub-section (1), by order suspend such
licence pending the completion of any enquiry ordered by him:
Provided that no licence shall be suspended for a period exceeding ten days
unless the Certifying Authority has been given a reasonable opportunity of
showing cause against the proposed suspension.
(3) No Certifying Authority whose licence has been suspended shall issue any
electronic signature Certificate during such suspension.
Notice of Revocation of License is issued under Section 26.
Electronic Signature Certificates (S.35-42)
STEPS
CCA- Licensed CA- Application for Digital Signature Certificate- Validation of
Application- Issue of Certificate- Acceptance of Certificate- Use of Certificate-
Suspension or Revocation of certificate- Certificate expiration.
Section 35
(1) Any person may make an application to the Certifying Authority for the issue of a electronic
signature Certificate in such form as may be prescribed by the Central Government.
(2) Every such application shall be accompanied by such fee not exceeding twenty-five thousand
rupees as may be prescribed by the Central Government, to be paid to the Certifying Authority:
Provided that while prescribing fees under sub-section (2) different fees may be prescribed for
different classes of applicants.
(3) Every such application shall be accompanied by a certification practice statement or where there is
no such statement, a statement containing such particulars, as may be specified by regulations.
(4) On receipt of an application under sub-section (1), the Certifying Authority may, after consideration
of the certification practice statement or the other statement under sub-section (3) and after making such
enquiries as it may deem fit, grant the electronic signature Certificate or for reasons to be recorded in
writing, reject the application:
Provided that no application shall be rejected unless the applicant has been given a reasonable
opportunity of showing cause against the proposed rejection.
Classes of Certificates – Sec 35(2)
Though the Central government has fixed the upper limit of fee not exceeding
25,000/- rupees but it has given freedom to the certifying authorities to charge
different fees from different classes of applicants.
Classes of Certificates Each class provides for a different level of trust.
Class 1 Class 2 Class 3
Used primarily for web browsing Used primarily for organization’s Used primarily for certain e-
and personal e-mail, to enhance the functional and administrative needs commerce applications such as
security environment electronic banking, EDI and
membership-based online services.
Provides the lowest level of The verification process is less The validation procedures provide
assurance of all TCS-CA rigorous than the Class 3 stronger assurances of an
certificates. certificates. applicant’s identity than Class 2
certificates.
Certificates confirm that user’s The head of the organization or These certificates require the
name and e-mail address form an his/her nominee is given a digital assurance of identity of the
unambiguous subject name certificate to initiate the process subscriber by requiring their
within the CA repository. for issuing further certificates. physical appearance before the
He/she/it in turn requests the CA LRA (Local Registration
to issue other certificates. Authority). All personal details
like PAN, Passport, etc. are
verified.
Certification Practice Statement - Sec
35(3)
Certificate practice statement or a statement containing particulars as may be
specified by the regulations needs to be submitted.
Section 36- Authentication function of
certifying authorities
(a) it has complied with the provisions of this Act and the rules and regulations
made thereunder;
(b) it has published the Digital Signature Certificate or otherwise made it
available to such person relying on it and the subscriber has accepted it.
(c) the subscriber holds the private key corresponding to the public key, listed
in the Digital Signature Certificate;
(ca) the subscriber holds a private key which is capable of creating a digital
signature;
(cb) the public key to be listed in the certificate can be used to verify a digital
signature affixed by the private key held by the subscriber;
(d) the subscriber's public key and private key constitute a functioning key pair;
(e) the information contained in the Digital Signature Certificate is accurate; and
(f) it has no knowledge of any material fact, which if it had been included in the
Digital Signature Certificate would adversely affect the reliability of the
representations in clauses (a) to (d).
Section 37- Suspension of DSC
where the subscriber or any other person authorised by him makes a request to that effect;
upon the death of the subscriber; or
upon the dissolution of the firm or winding up of the company where the subscriber is a firm
or a company.
a material fact represented in the Digital Signature Certificate is false or has been concealed;
a requirement for issuance of the Digital Signature Certificate was not satisfied;
the Certifying Authority's private key or security system was compromised in a manner
materially affecting the Digital Signature Certificate's reliability;
the subscriber has been declared insolvent or dead or where a subscriber is a firm or a
company, which has been dissolved, wound-up or otherwise ceased to exist.
(3) A Digital Signature Certificate shall not be revoked unless the subscriber has been given
an opportunity of being heard in the matter.
Section 39
Section 40-42
Steps to Become Subscriber
The word ‘subscriber’ means a person who has paid subscription amount to avail
some kind of service.
Approach LRA- Fill Application according to the class of DSC and enter in
to ‘CA-Subscriber’ Agreement- generate key pair- verification by LRA-
Forwared to CA who generated DSC- download DSC- Subscriber verifies
and accepts- CA publishes in its repository.
Section 40 and 40A
Where any Digital Signature Certificate the public key of which corresponds to
the private key of that subscriber which is to be listed in the Digital Signature
Certificate has been accepted by a subscriber, the subscriber shall generate that
key pair by applying the security procedure.
In respect of Electronic Signature Certificate the subscriber shall perform such
duties as may be prescribed
Duties- Section 41
(1) Every subscriber shall exercise reasonable care to retain control of the private
key corresponding to the public key listed in his Digital Signature Certificate and
take all steps to prevent its disclosure.
(2) If the private key corresponding to the public key listed in the Digital
Signature Certificate has been compromised, then, the subscriber shall
communicate the same without any delay to the Certifying Authority in such
manner as may be specified by the regulations.
Explanation.–For the removal of doubts, it is hereby declared that the subscriber
shall be liable till he has informed the Certifying Authority that the private key
has been compromised.