Digital Certificate is the back bone of the Digital Contract era. The
ITA-2000 has already made electronic contracts authenticated by Digital
Signatures backed by an appropriately licensed CA equivalent to written
paper contracts.
It took more than two years after the passage of the ITA-2000 for the Indian
consumer to actually lay his hand on the Digital certificates. Even then the
certificates offered by the first CA were prohibitively priced and were beyond
the reach of the common man. The second licensed CA seems to have brought down
the prices to a more realistic level and perhaps some of the Indian consumers
will start acquiring Digital Certificates of their own.
However, there seems to be still some bugs in the use of Digital Certificates.
Naavi has already highlighted some concerns about Digital certificate
usage at
www.ceac4india.com . We shall now address yet another point of concern.
It is presumed that the Digital Certificates are used for entering into
contracts by signing electronic documents including E-mails. When an
electronic document signed with a digital signature is received by a person,
he needs to verify whether the certificate has been issued by a genuine
process and also whether the certificate has not been revoked.
The requirements for this is that
1. The root certifying authority's public key must be embedded in the
applications such as the browser or the e-mail client or there should be a
possibility of installing the same through a trusted process.
2. The repository of certificates should be updated to the last second and
3. The CRL should be updated on the fly.
All these three requirements are yet to be fulfilled in India exposing
the Digital signature user to the grave risk of relying on a certificate which
may not be valid at the time of signing. This may lead to accidental problems
and also deliberate frauds.
Presently the guidelines of the Government prescribe that the CAs submit
weekly statements of Certificates issued and Certificates revoked to the
Controller and the same is incorporated in the NRDC (National Repository of
Digital Certificates).
As of today, the CRL seems to have been updated only on first of April
indicating that the current list is nearly 45 days old.
This is too high a risk for any user of Digital certificate to bear and the
system needs to be improved immediately before an innocent Digital Signature
user falls into a trap set by a fraudster.
Naavi
May 10,2003