LEGAL RECOGNITION AND

AUTHENTICATION OF
ELECTRONIC RECORDS
MS. KRITI PARASHAR
Contents

 UNCITRAL Model Law on Electronic Commerce, and E-signatures (1996 and 2001);

 Legal Recognition under IT Act (ss,4-5);

 Authentication of records (s.3) Digital signature (functional equivalent of paper based signatures) s.2(1)(p);
Function (confidentiality, authentication, integrity and non-repudiation); Authentication by use of asymmetric
cryptosystem (s.2(1)(f)‘ , Key pair (s.2(1)(x), Public key(2(1)zc), Private key(s.2(1)zd), Hash function (s.3),
Electronic signatures (ss. S.2(1)ta and 3A), Affixing electronic signature S.2(1)(d); Secured electronic record(s.14)
and Secure electronic signature(s.15); s.85B(2)(a),

 The Evidence Act, 1872 (Presumptions to electronic record and electronic signatures);

 S.67A and 73A the Evidence Act, 1872 (Proof as to electronic signature and proof of verification of digital
signatures)

 Public key infrastructure and Hierarchy (ss.17-26); Role of certifying authorities, Electronic signature certificates,
its suspension and revocation (ss.2(tb), 35-42);

 Originator, addressee , Attribution, Acknowledgment and Dispatch of Electronic Records -ss. 11-13
UNICTRAL Model Law on E-Commerce

 The progressive harmonization and unification of the law of international trade and
in that respect to bear in mind the interests of all peoples, in particular those of
developing countries, in the extensive development of international trade.
 Noting that an increasing number of transactions in international trade are carried
out by means of electronic data interchange and other means of communication,
commonly referred to as “electronic commerce”, which involve the use of
alternatives to paper-based methods of communication and storage of information.
 Believing that the adoption of the Model Law on Electronic Commerce by the
Commission will assist all States significantly in enhancing their legislation
governing the use of alternatives to paper-based methods of communication and
storage of information and in formulating such legislation where none currently
exists
Applicability

 This Law** applies to any kind of information in the form of a data message used
in the context*** of commercial**** activities.
 For the purposes of this Law: (a) “Data message” means information generated,
sent, received or stored by electronic, optical or similar means including, but not
limited to, electronic data interchange (EDI), electronic mail, telegram, telex or
telecopy;
 The notion of “data message” is not limited to communication but is also intended
to encompass computer-generated records that are not intended for
communication. Thus, the notion of “message” includes the notion of “record”.
Article 3

 (1) In the interpretation of this Law, regard is to be had to its international origin
and to the need to promote uniformity in its application and the observance of
good faith.
 (2) Questions concerning matters governed by this Law which are not expressly
settled in it are to be settled in conformity with the general principles on which
this Law is based.
Principle of Non-Discrimination

 Article 5 bis. Incorporation by reference (as adopted by the Commission at its

thirty-first session, in June 1998)
 Information shall not be denied legal effect, validity or enforceability solely on the
grounds that it is not contained in the data message purporting to give rise to
such legal effect, but is merely referred to in that data message.
 Article 5 embodies the fundamental principle that data messages should not be
discriminated against, i.e., that there should be no disparity of treatment between
data messages and paper documents. It is intended to apply notwithstanding any
statutory requirements for a “writing” or an original.
Requirement as to Writing

 Article 6. Writing (1) Where the law requires information to be in writing, that
requirement is met by a data message if the information contained therein is
accessible so as to be usable for subsequent reference.
 (2) Paragraph (1) applies whether the requirement therein is in the form of an
obligation or whether the law simply provides consequences for the information
not being in writing.
 (3) The provisions of this article do not apply to the following:
 By establishing a principle of non-discrimination, it is to be construed as making
the domestic rules applicable to incorporation by reference in a paper-based
environment equally applicable to incorporation by reference for the purposes of
electronic commerce.
Purpose of Writing

 The following nonexhaustive list indicates reasons why national laws require the use
of “writings”: (1) to ensure that there would be tangible evidence of the existence and
nature of the intent of the parties to bind themselves; (2) to help the parties be aware
of the consequences of their entering into a contract; (3) to provide that a document
would be legible by all; (4) to provide that a document would remain unaltered over
time and provide a permanent record of a transaction; (5) to allow for the reproduction
of a document so that each party would hold a copy of the same data; (6) to allow for
the authentication of data by means of a signature; (7) to provide that a document
would be in a form acceptable to public authorities and courts; (8) to finalize the
intent of the author of the “writing” and provide a record of that intent; (9) to allow
for the easy storage of data in a tangible form; (10) to facilitate control and sub-
sequent audit for accounting, tax or regulatory purposes; and (11) to bring legal rights
and obligations into existence in those cases where a “writing” was required for
validity purposes
Accessibility

 The use of the word “accessible” is meant to imply that information in the form of
computer data should be readable and interpretable, and that the software that
might be necessary to render such information readable should be retained. The
word “usable” is not intended to cover only human use but also computer
processing. As to the notion of “subsequent reference”, it was preferred to
such notions as “durability” or “non-alterability”, which would have
established too harsh standards, and to such notions as “readability” or
“intelligibility”, which might constitute too subjective criteria.
Signature and original

 The requirement that data be presented in written form (which can be described as a “threshold
requirement”) should thus not be confused with more stringent requirements such as “signed writing”,
“signed original” or “authenticated legal act”.
 For example, under certain national laws, a written document that is neither dated nor signed,
and the author of which either is not identified in the written document or is identified by a mere
letterhead, would be regarded as a “writing” although it might be of little evidential weight in
the absence of other evidence (e.g., testimony) regarding the authorship of the document.
 In addition, the notion of unalterability should not be considered as built into the concept of
writing as an absolute requirement since a “writing” in pencil might still be considered a
“writing” under certain existing legal definitions. Taking into account the way in which such issues
as integrity of the data and protection against fraud are dealt with in a paper-based environment, a
fraudulent document would nonetheless be regarded as a “writing”. In general, notions such as
“evidence” and “intent of the parties to bind themselves” are to be tied to the more general issues of
reliability and authentication of the data and should not be included in the definition of a “writing”.
Requirements as to Signature

 Signature (Article 7)
 (1) Where the law requires a signature of a person, that requirement is met in relation to a
data message if:
 (a) a method is used to identify that person and to indicate that person’s approval of the
information contained in the data message; and
 (b) that method is as reliable as was appropriate for the purpose for which the data
message was generated or communicated, in the light of all the circumstances, including
any relevant agreement.
 The concept of a signature adopted in that context is such that a stamp, perforation or even
a typewritten signature or a printed letterhead might be regarded as sufficient to fulfil the
signature requirement. At the other end of the spectrum, there exist requirements that
combine the traditional handwritten signature with additional security procedures such as
the confirmation of the signature by witnesses.
Requirements as Regards Original

 Original (Article 8)
 Where the law requires information to be presented or retained in its original
form, that requirement is met by a data message if:
 (a) there exists a reliable assurance as to the integrity of the information from
the time when it was first generated in its final form, as a data message or
otherwise; and
 (b) where it is required that information be presented, that information is capable
of being displayed to the person to whom it is to be presented.
 Methods for Reliability: Scans and adding term electronic certificate.
Assessing Integrity of Data

 (3) For the purposes of subparagraph (a) of paragraph (1):

 (a) the criteria for assessing integrity shall be whether the information has
remained complete and unaltered, apart from the addition of any endorsement
and any change which arises in the normal course of communication, storage and
display; and
 (b) the standard of reliability required shall be assessed in the light of the purpose
for which the information was generated and in the light of all the relevant
circumstances.
 Examples of documents that might require an “original” are trade documents such as
weight certificates, agricultural certificates, quality or quantity certificates,
inspection reports, insurance certificates, etc. While such documents are not
negotiable or used to transfer rights or title, it is essential that they be transmitted
unchanged, that is in their “original” form, so that other parties in international
commerce may have confidence in their contents. In a paper-based environment, these
types of document are usually only accepted if they are “original” to lessen the chance
that they be altered, which would be difficult to detect in copies. Various technical
means are available to certify the contents of a data message to confirm its
“originality”. Without this functional equivalent of originality, the sale of goods using
electronic commerce would be hampered since the issuers of such documents would
be required to retransmit their data message each and every time the goods are sold, or
the parties would be forced to use paper documents to supplement the electronic
commerce transaction.
Evidentiary Value

 Article 9. Admissibility and evidential weight of data messages

 (1) In any legal proceedings, nothing in the application of the rules of evidence
shall apply so as to deny the admissibility of a data message in evidence:
 (a) on the sole ground that it is a data message; or,
 (b) if it is the best evidence that the person adducing it could reasonably be
expected to obtain, on the grounds that it is not in its original form.
 (2) Information in the form of a data message shall be given due evidential weight.
In assessing the evidential weight of a data message, regard shall be had to the
reliability of the manner in which the data message was generated, stored or
communicated, to the reliability of the manner in which the integrity of the
information was maintained, to the manner in which its originator was identified,
and to any other relevant factor.
Formation of Contract

 Article 11. Formation and validity of contracts

 (1) In the context of contract formation, unless otherwise agreed by the parties,
an offer and the acceptance of an offer may be expressed by means of data
messages. Where a data message is used in the formation of a contract, that
contract shall not be denied validity or enforceability on the sole ground that a
data message was used for that purpose.
 Data messages expressing offer and acceptance are generated by computers
without immediate human intervention.
 Need for notary and other measures for protecting parties can be exclusions.
Article 13. Attribution of data messages- whether originator sent it?
Article 14. Acknowledgement of receipt

 For example, where an originator sends an offer in a data message and requests
acknowledgement of receipt, the acknowledgement of receipt simply evidences
that the offer has been received. Whether or not sending that acknowledgement
amounted to accepting the offer is not dealt with by the Model Law but by
contract law outside the Model Law.
 For example, where the originator sent a data message which under the agreement
between the parties had to be received by a certain time, and the originator
requested an acknowledgement of receipt, the addressee could not deny the
legal effectiveness of the message simply by withholding the requested
acknowledgement.
Article 15. Time and place of dispatch and
receipt of data messages
 A. 15(1). The dispatch of a data message occurs when it enters an information
system outside the control of the originator or of the person who sent the data
message on behalf of the originator.
 Time
 (2) Unless otherwise agreed between the originator and the addressee, the time of
receipt of a data message is determined as follows: (a) if the addressee has
designated an information system for the purpose of receiving data messages,
receipt occurs: (i) at the time when the data message enters the designated
information system; or (ii) if the data message is sent to an information system of the
addressee that is not the designated information system, at the time when the data
message is retrieved by the addressee; (b) if the addressee has not designated an
information system, receipt occurs when the data message enters an information
system of the addressee.
Place of Business

 Place
 (4) Unless otherwise agreed between the originator and the addressee, a data
message is deemed to be dispatched at the place where the originator has its
place of business, and is deemed to be received at the place where the
addressee has its place of business.
 For the purposes of this paragraph: (a) if the originator or the addressee has more
than one place of business, the place of business is that which has the closest
relationship to the underlying transaction or, where there is no underlying
transaction, the principal place of business; (b) if the originator or the addressee
does not have a place of business, reference is to be made to its habitual
residence.
Article 17

 (3) If a right is to be granted to, or an obligation is to be acquired by, one person

and no other person, and if the law requires that, in order to effect this, the right or
obligation must be conveyed to that person by the transfer, or use of, a paper
document, that requirement is met if the right or obligation is conveyed by
using one or more data messages, provided that a reliable method is used to
render such data message or messages unique.
 (4) For the purposes of paragraph (3), the standard of reliability required shall be
assessed in the light of the purpose for which the right or obligation was conveyed
and in the light of all the circumstances, including any relevant agreement.
Rule against Paper Transactions

 (5) Where one or more data messages are used to effect any action in
subparagraphs (f) and (g) of article 16, no paper document used to effect any
such action is valid unless the use of data messages has been terminated and
replaced by the use of paper documents. A paper document issued in these
circumstances shall contain a statement of such termination. The replacement of
data messages by paper documents shall not affect the rights or obligations of the
parties involved.
Will

 Article 12
 (1) As between the originator and the addressee of a data message, a declaration
of will or other statement shall not be denied legal effect, validity or enforceability
solely on the grounds that it is in the form of a data message.
 Legality of Digital Will or Video Recording of Will in India- Section 68
Indian Evidence Act, 1872 and Section 63 of Indian Evidence Act, 1925.
 SAYAR KUMARI VS. STATE AND ORS. (09.10.2009 - DELHC)
 he Supreme Court has in State of Maharashtra v. Prafull B. Desai
(2003)
recognized in principle, although in the context of a trial, that
evidence by way of video recording is admissible.
UNICTRAL Model Law on Electronic
Signatures
 Mindful of the great utility of new technologies used for personal identification in
electronic commerce and commonly referred to as electronic signatures,
 Desiring to build on the fundamental principles underlying article 7 of the Model
Law on Electronic Commerce with respect to the fulfilment of the signature
function in an electronic environment, with a view to promoting reliance on
electronic signatures for producing legal effect where such electronic signatures
are functionally equivalent to handwritten signatures, Convinced that legal
certainty in electronic commerce will be enhanced by the harmonization of certain
rules on the legal recognition of electronic signatures on a technologically neutral
basis and by the establishment of a method to assess in a technologically neutral
manner the practical reliability and the commercial adequacy of electronic
signature techniques
Article 1

 This Law applies where electronic signatures are used in the context* of
commercial** activities. It does not override any rule of law intended for the
protection of consumers.
Electronic Signature

 (a) “Electronic signature” means data in electronic form in, affixed to or logically
associated with, a data message, which may be used to identify the signatory in
relation to the data message and to indicate the signatory’s approval of the
information contained in the data message;
 (b) “Certificate” means a data message or other record confirming the link
between a signatory and signature creation data;
 (d) “Signatory” means a person that holds signature creation data and acts either
on its own behalf or on behalf of the person it represents
Article 3. Equal treatment of signature
technologies
 Nothing in this Law, except article 5, shall be applied so as to exclude, restrict or
deprive of legal effect any method of creating an electronic signature that
satisfies the requirements referred to in article 6, paragraph 1, or otherwise
meets the requirements of applicable law.
Requirements as Regards Signature

 Article 6. Compliance with a requirement for a signature

 1. Where the law requires a signature of a person, that requirement is met in
relation to a data message if an electronic signature is used that is as reliable as
was appropriate for the purpose for which the data message was generated or
communicated, in the light of all the circumstances, including any relevant
agreement.
 3. An electronic signature is considered to be reliable for the purpose of satisfying
the requirement referred to in paragraph 1 if:
 (a) The signature creation data are, within the context in which they are used,
linked to the signatory and to no other person;
 (b) The signature creation data were, at the time of signing, under the control of
the signatory and of no other person;
 (c) Any alteration to the electronic signature, made after the time of signing,
is detectable; and
 (d) Where a purpose of the legal requirement for a signature is to provide
assurance as to the integrity of the information to which it relates, any alteration
made to that information after the time of signing is detectable.
  Article 7
 1. [Any person, organ or authority, whether public or private,
specified by the enacting State as competent] may determine
which electronic signatures satisfy the provisions of article 6
of this Law.
Certifying
Authorities
Liability of the Signatory wrt Electronic
Signatures- Article 8
 1. Where signature creation data can be used to create a signature that has legal
effect, each signatory shall:
 (a) Exercise reasonable care to avoid unauthorized use of its signature creation
data;
 (b) Without undue delay, utilize means made available by the certification service
provider pursuant to article 9 of this Law, or otherwise use reasonable efforts, to
notify any person that may reasonably be expected by the signatory to rely on or to
provide services in support of the electronic signature if:
 (i) The signatory knows that the signature creation data have been compromised; or
 (ii) The circumstances known to the signatory give rise to a substantial risk that the
signature creation data may have been compromised
 4. Paragraph 3 does not limit the ability of any person:
 (a) To establish in any other way, for the purpose of satisfying the requirement
referred to in paragraph 1, the reliability of an electronic signature; or
 (b) To adduce evidence of the non-reliability of an electronic signature.
Article 8

 Duty to take reasonable care- Certifying Authority

 To ascertain genuiness of identity and trustworthiness.
Article 11. Conduct of the relying party

 A relying party shall bear the legal consequences of its failure:

 (a) To take reasonable steps to verify the reliability of an electronic signature;
or
 (b) Where an electronic signature is supported by a certificate, to take reasonable
steps:
 (i) To verify the validity, suspension or revocation of the certificate; and
 (ii) To observe any limitation with respect to the certificate.
 (b) The circumstances known to the signatory give rise to a substantial risk that
the signature creation data may have been compromised;
 (c) Where a certificate is used to support the electronic signature, exercise
reasonable care to ensure the accuracy and completeness of all material
representations made by the signatory that are relevant to the certificate
throughout its life cycle or that are to be included in the certificate.
 2. A signatory shall bear the legal consequences of its failure to satisfy the
requirements of paragraph 1.
E-Signatures outside enacting State-
Article 12
 2. A certificate issued outside [the enacting State] shall have the same legal effect
in [the enacting State] as a certificate issued in [the enacting State] if it offers a
substantially equivalent level of reliability.
 3. An electronic signature created or used outside [the enacting State] shall have
the same legal effect in [the enacting State] as an electronic signature created or
used in [the enacting State] if it offers a substantially equivalent level of
reliability.
Role of UNICTAL Model Laws

 United Nations Commission on International Trade Law

 Can UNICITRAL Model Law on Electronic Commerce be an external aid to
interpretation?
 Konkan Railway Corporation v. Rani Construction (2002) 2 SCC 388
 ‘ UNCITRAL Model Law (on international arbitration) was only taken unto
account in drafting of the Arbitration Act, 1996. The Act and Model Law are not
identically drafted….The model Law and judgments and literature thereon
are ,therefore, not a guide to interpretation of the Act.’
Legal Recognition under IT Act

 Authentication of records (s.3)

 Digitalsignature (functional equivalent of paper based signatures) s.2(1)(p);
Function (confidentiality, authentication, integrity and non-repudiation);
 Authentication by use of asymmetric cryptosystem (s.2(1)(f) , Key pair
(s.2(1)(x), Public key(2(1)zc), Private key(s.2(1)(zd), Hash function (s.3),
 Electronic signatures (ss. S.2(1)ta and 3A), Affixing electronic signature
S.2(1)(d);
 Secured electronic record(s.14) and Secure electronic signature(s.15);
s.85B(2)(a)
 Security and Encryption
 Asymmetric Cryptography- Public and Private Key
 Hash function- to retrieve data from constant time- Function and Mapping (Value
used to retrieve data)
Authentication of records (s.3)

 3. Authentication of electronic records.–(1) Subject to the provisions of this section any

subscriber may authenticate an electronic record by affixing his digital signature.
 (2) The authentication of the electronic record shall be effected by the use of asymmetric crypto
system and hash function which envelop and transform the initial electronic record into
another electronic record.
 Explanation.–For the purposes of this sub-section, ―hash function means an algorithm mapping
or translation of one sequence of bits into another, generally smaller, set known as ―hash result
such that an electronic record yields the same hash result every time the algorithm is executed with
the same electronic record as its input making it computationally infeasible– (a) to derive or
reconstruct the original electronic record from the hash result produced by the algorithm; (b) that
two electronic records can produce the same hash result using the algorithm.
 (3) Any person by the use of a public key of the subscriber can verify the electronic record.
 (4) The private key and the public key are unique to the subscriber and constitute a functioning
key pair.
 Section 2(1)(zg) ―subscriber means a person in whose name the [electronic
signature] Certificate is issued;
 Section 2(1)(p) ―digital signature means authentication of any electronic record
by a subscriber by means of an electronic method or procedure in accordance with
the provisions of section 3;
 Section 2(1)(f) ―asymmetric crypto system means a system of a secure key pair
consisting of a private key for creating a digital signature and a public key to
verify the digital signature;
 In symmetric cryptography a single secret key is used for both encryption
and decryption of the message, whereas in asymmetric cryptography
encryption and decryption is done by an asymmetric key pair consisting of a
public and private key.
 Irreversibility
 Many people may know the public key and may use it verify but cannot forge
document as private key is not discovered.
 Section 2(1)(x) ―key pair, in an asymmetric crypto system, means a private key
and its mathematically related public key, which are so related that the public key
can verify a digital signature created by the private key;
 (zc) ―private key means the key of a key pair used to create a digital signature;
 (zd) ―public key means the key of a key pair used to verify a digital signature
and listed in the Digital Signature Certificate;
 (u) ―function, in relation to a computer, includes logic, control, arithmetical
process, deletion, storage and retrieval and communication or telecommunication
from or within a computer;
 Functional Equivalent Approach to notions of writing, signature and original of
traditional paper-based requirements.
 confidentiality, authentication, integrity and non-
repudiation.
 Message protection and data encryption.
Secured Electronic Record

 14. Secure electronic record.—Where any security procedure has been applied to an
electronic record at a specific point of time, then such record shall he deemed to be a secure
electronic record from such point of time to the time of verification.
 15. Secure electronic signature.—An electronic signature shall be deemed to be a secure
electronic signature if— (i) the signature creation data, at the time of affixing signature,
was under the exclusive control of signatory and no other person; and (ii) the signature
creation data was stored and affixed in such exclusive manner as may be prescribed.
Explanation.–In case of digital signature, the ―signature creation data‖ means the private
key of the subscriber.
 16. Security procedures and practices.—The Central Government may, for the purposes of
sections 14 and 15, prescribe the security procedures and practices: Provided that in
prescribing such security procedures and practices, the Central Government shall have
regard to the commercial circumstances, nature of transactions and such other related
factors as it may consider appropriate.
Presumptions to Electronic Record and
Electronic Signature
 S.67A and 73A the Evidence Act, 1872 (Proof as to
electronic signature and proof of verification of digital
signatures)
 67A. Proof as to electronic signature–– Except in the case of a secure electronic
signature, if the electronic signature of any subscriber is alleged to have been
affixed to an electronic record the fact that such electronic signature is the
electronic signature of the subscriber must be proved.
 Burden of Proof is on the signatory in not as per security procedure.
Verification of Digital Signature

 73A. Proof as to verification of digital signature. –– In order to ascertain whether

a digital signature is that of the person by whom it purports to have been affixed,
the Court may direct ––
 (a) that person or the Controller or the Certifying Authority to produce the
Digital Signature Certificate;
 (b) any other person to apply the public key listed in the Digital Signature
Certificate and verify the digital signature purported to have been affixed by
that person.
 Explanation. –– For the purposes of this section, “Controller” means the
Controller appointed under sub-section (1) of section 17 of the Information
Technology Act, 2000 (21 of 2000)
Certifying Authorities

 Public key infrastructure and Hierarchy (ss.17-26);

 Role of certifying authorities, Electronic signature
certificates, its suspension and revocation (ss.2(tb), 35-42);
Public Key Infrastructure and Hierarchy

 Trusted third parties who not only authenticate digital signature but also
dispense public keys.
 Section 17. Appointment of Controller and other officers.
 Controller of Certifying Authority
 Appoint such number of Deputy Controllers, Assistant Controllers, other officers
and employees.
 Central Government- Controller-Deputy- Assistant Controllers.
 Three wings – Technology, Finance and Legal, Investigation.
 Nov 1, 2000 CCA appointed.
 Certifying authority has to receive license from the ‘root’ certifying authority
and issuing authority signature can be verified from controller.
 PKI system more than the subordinate superior relationship but a set of
policies.
 IT (Certifying Authority) Rules, 2000 and IT (Certifying Authority)
Regulations, 2001
 Certification Practice Statement read along.
Role of Certifying Authorities

 Controller- Repository- Parties

Certifying Authority

Subscriber Re Relying Party

Section 18 Functions of Controller

 (a) exercising supervision over the activities of the Certifying Authorities; (Half
yearly and quarterly audit and report- Rule 31 of 2000 rules)
 (b) certifying public keys of the Certifying Authorities; (Root Certifying
Authority of India to certify all CAs, issue and revoke license- They generate
a public and private key and submit to controller- Rule 20 2001 Rules)
 (c) laying down the standards to be maintained by the Certifying Authorities;
(Regulation 4 of 2001- Directory, form and size, certificates, etc.)
 (d) specifying the qualifications and experience which employees of the
Certifying Authority should possess;
 (e) specifying the conditions subject to which the Certifying Authorities shall
conduct their business;
 (f) specifying the contents of written, printed or visual materials and
advertisements that may be distributed or used in respect of a electronic signature
Certificate and the public key; (Absence of guidelines for Electronic
Signatures)
 (g) specifying the form and content of a electronic signature Certificate and the
key;
 (h) specifying the form and manner in which accounts shall be maintained by the
Certifying Authorities;
 (i) specifying the terms and conditions subject to which auditors may be
appointed and the remuneration to be paid to them; (Rule 31 and 32 of the 2000
IT Rules- Auditors check adequacy of security policies, physical security,
Evaluation of functionaries,)
 (j) facilitating the establishment of any electronic system by a Certifying Authority either solely or
jointly with other Certifying Authorities and regulation of such systems;
 (k) specifying the manner in which the Certifying Authorities shall conduct their dealings with the
subscribers; (Certification Practice Statement)
 (l) resolving any conflict of interests between the Certifying Authorities and the subscribers;
(CCA can mediate between CAs and subscribers directly or through arbitrator-Rule 12 IT
Rules, 2000 dispute referred to controller for arbitration or resolution)
 A.K.Kriapak v. Union of India ‘Dividing line between administrative and quasi-judicial body is
quite thin and being gradually obliterated. Nature of functions has to be looked into’.
 (m) laying down the duties of the Certifying Authorities;
 (n) maintaining a data base containing the disclosure record of every Certifying Authority
containing such particulars as may be specified by regulations, which shall be accessible to public.
Controller to issue license

 Section 19 Recognition to foreign certifying authorities may be given by

Controller.
 Section 21- Any person may apply to the controller to issue Electronic
signature certificates if they fulfil requirements as regards qualification, etc.
License for a time period normally five years and not transferable.
 Section 22 Making Application
 Section 23 Applying for renewal of license
Rejection of Application to License

 Section 24 – The Controller may, on receipt of an application under sub-section

(1) of section 21, after considering the documents accompanying the application
and such other factors, as he deems fit, grant the licence or reject the application:
 Provided that no application shall be rejected under this section unless the
applicant has been given a reasonable opportunity of presenting his case.
(Aspect of Natural Justice)
Revocation of License

 Section 25
 (1) The Controller may, if he is satisfied after making such inquiry, as he may think fit, that
a Certifying Authority has—
 (a) made a statement in, or in relation to, the application for the issue or renewal of the
licence, which is incorrect or false in material particulars;
 (b) failed to comply with the terms and conditions subject to which the licence was granted;
 (c) failed to maintain the procedures and standards specified in section 30; (Reliability,
security, repository, publication requirements)
 (d) contravened any provisions of this Act, rule, regulation or order made thereunder,
revoke the licence:
 Provided that no licence shall be revoked unless the Certifying Authority has been
given a reasonable opportunity of showing cause against the proposed revocation.
Suspension of License

 (2) The Controller may, if he has reasonable cause to believe that there is any
ground for revoking a licence under sub-section (1), by order suspend such
licence pending the completion of any enquiry ordered by him:
 Provided that no licence shall be suspended for a period exceeding ten days
unless the Certifying Authority has been given a reasonable opportunity of
showing cause against the proposed suspension.
 (3) No Certifying Authority whose licence has been suspended shall issue any
electronic signature Certificate during such suspension.
 Notice of Revocation of License is issued under Section 26.
Electronic Signature Certificates (S.35-42)

PKI system at present is based on Digital Signatures.

Digital Signature certificate is issued by a licensed certifying authority based
primarily on CPS (Certificate Practice Statement).

STEPS
CCA- Licensed CA- Application for Digital Signature Certificate- Validation of
Application- Issue of Certificate- Acceptance of Certificate- Use of Certificate-
Suspension or Revocation of certificate- Certificate expiration.
Section 35

(1) Any person may make an application to the Certifying Authority for the issue of a electronic
signature Certificate in such form as may be prescribed by the Central Government.
(2) Every such application shall be accompanied by such fee not exceeding twenty-five thousand
rupees as may be prescribed by the Central Government, to be paid to the Certifying Authority:
Provided that while prescribing fees under sub-section (2) different fees may be prescribed for
different classes of applicants.
(3) Every such application shall be accompanied by a certification practice statement or where there is
no such statement, a statement containing such particulars, as may be specified by regulations.
(4) On receipt of an application under sub-section (1), the Certifying Authority may, after consideration
of the certification practice statement or the other statement under sub-section (3) and after making such
enquiries as it may deem fit, grant the electronic signature Certificate or for reasons to be recorded in
writing, reject the application:
Provided that no application shall be rejected unless the applicant has been given a reasonable
opportunity of showing cause against the proposed rejection.
Classes of Certificates – Sec 35(2)

 Though the Central government has fixed the upper limit of fee not exceeding
25,000/- rupees but it has given freedom to the certifying authorities to charge
different fees from different classes of applicants.
 Classes of Certificates Each class provides for a different level of trust.
Class 1
Used primarily for web browsing
and personal e-mail, to enhance the
security environment
Provides the lowest level of
assurance of all TCS-CA
certificates.
Certificates confirm that user’s
name and e-mail address form an
unambiguous subject name
within the CA repository.
Class 2
Used primarily for organization’s
functional and administrative needs
The verification process is less
rigorous than the Class 3
certificates.
The head of the organization or
his/her nominee is given a digital
certificate to initiate the process
for issuing further certificates.
He/she/it in turn requests the CA
to issue other certificates.
Class 3
Used primarily for certain e-
commerce applications such as
electronic banking, EDI and
membership-based online services.
The validation procedures provide
stronger assurances of an
applicant’s identity than Class 2
certificates.
These certificates require the
assurance of identity of the
subscriber by requiring their
physical appearance before the
LRA (Local Registration
Authority). All personal details
like PAN, Passport, etc. are
verified.
Certification Practice Statement - Sec
35(3)
 Certificate practice statement or a statement containing particulars as may be
specified by the regulations needs to be submitted.
Section 36- Authentication function of
certifying authorities
 (a) it has complied with the provisions of this Act and the rules and regulations
made thereunder;
 (b) it has published the Digital Signature Certificate or otherwise made it
available to such person relying on it and the subscriber has accepted it.
 (c) the subscriber holds the private key corresponding to the public key, listed
in the Digital Signature Certificate;
 (ca) the subscriber holds a private key which is capable of creating a digital
signature;
 (cb) the public key to be listed in the certificate can be used to verify a digital
signature affixed by the private key held by the subscriber;
 (d) the subscriber's public key and private key constitute a functioning key pair;
 (e) the information contained in the Digital Signature Certificate is accurate; and
 (f) it has no knowledge of any material fact, which if it had been included in the
Digital Signature Certificate would adversely affect the reliability of the
representations in clauses (a) to (d).
Section 37- Suspension of DSC

 Suspension of Digital Signature either-

 on request (by subscriber or duly authorized person) or
 in public interest
 It is for the government to determine what constitutes public interest and
certifying authorities per se cannot suspend certificates. Some of the grounds on
which DSC can be suspended are-
 A) Suspicion of compromise in the private key of the subscriber, initiated by the
subscriber.
 B) Non-payment of fees
 C) Any suspicion of inaccuracy
Section 39- Revocation of DSC

 where the subscriber or any other person authorised by him makes a request to that effect;
 upon the death of the subscriber; or
 upon the dissolution of the firm or winding up of the company where the subscriber is a firm
or a company.
 a material fact represented in the Digital Signature Certificate is false or has been concealed;
 a requirement for issuance of the Digital Signature Certificate was not satisfied;
 the Certifying Authority's private key or security system was compromised in a manner
materially affecting the Digital Signature Certificate's reliability;
 the subscriber has been declared insolvent or dead or where a subscriber is a firm or a
company, which has been dissolved, wound-up or otherwise ceased to exist.
 (3) A Digital Signature Certificate shall not be revoked unless the subscriber has been given
an opportunity of being heard in the matter.
Section 39

 Notice of suspension or revocation by CA in repository/ies.

Related links:

 Guidelines issued by CCA |

CCA
 Digital Signature Certificate
| PKI Services | eSignatures | eMudhra
 Certificate.Digital
- Capricorn Identity Services Pvt. Ltd. -
Licensed Certifying Authority.
DUTIES OF SUBSCRIBERS

 Section 40-42
Steps to Become Subscriber

 The word ‘subscriber’ means a person who has paid subscription amount to avail
some kind of service.
 Approach LRA- Fill Application according to the class of DSC and enter in
to ‘CA-Subscriber’ Agreement- generate key pair- verification by LRA-
Forwared to CA who generated DSC- download DSC- Subscriber verifies
and accepts- CA publishes in its repository.
Section 40 and 40A

 Where any Digital Signature Certificate the public key of which corresponds to
the private key of that subscriber which is to be listed in the Digital Signature
Certificate has been accepted by a subscriber, the subscriber shall generate that
key pair by applying the security procedure.
 In respect of Electronic Signature Certificate the subscriber shall perform such
duties as may be prescribed
Duties- Section 41

 A subscriber shall be deemed to have accepted a Digital Signature Certificate if he

publishes or authorises the publication of a Digital Signature Certificate–
 (a) to one or more persons; (b) in a repository; or otherwise demonstrates his
approval of the Digital Signature Certificate in any manner.
 (2) By accepting a Digital Signature Certificate the subscriber certifies to all who
reasonably rely on the information contained in the Digital Signature Certificate
that– (a) the subscriber holds the private key corresponding to the public key
listed in the Digital Signature Certificate and is entitled to hold the same; (b) all
representations made by the subscriber to the Certifying Authority and all material
relevant to the information contained in the Digital Signature Certificate are true;
(c) all information in the Digital Signature Certificate that is within the knowledge
of the subscriber is true.
Section 42- Control of Private Key

 (1) Every subscriber shall exercise reasonable care to retain control of the private
key corresponding to the public key listed in his Digital Signature Certificate and
take all steps to prevent its disclosure.
 (2) If the private key corresponding to the public key listed in the Digital
Signature Certificate has been compromised, then, the subscriber shall
communicate the same without any delay to the Certifying Authority in such
manner as may be specified by the regulations.
 Explanation.–For the removal of doubts, it is hereby declared that the subscriber
shall be liable till he has informed the Certifying Authority that the private key
has been compromised.