It is two years since ITA-2000 became effective. Since then, Netizens in
India are dreaming about signing E-contracts with Digital Signatures.
The long wait for the Certifying Authorities to become operative was
thought to be over when during the last few months, Safescrypt, IDRBT, NIC and
TCS were declared as licensed Certifying Authorities.
However, as of today if an individual wants to obtain a digital certificate
valid in India, the only options are SafeScrypt and TCS. IDRBT is
restricting its activities only to Bank employees while NIC appears to
be still getting ready and probably restrict its activities to Government
employees only.
Further, the Netizen is confused about the types of
Certificates being offerred by the CA s and the pricing appears unrealistic. Since all the Certifying Authorities use the
same terminology for different features they offer, it becomes necessary
to examine the types of certificates provided by them and the pricing.
It is also necessary to find answers to questions such as
Can we afford a Digital Certificate at Rs 15000/- per annum?
Why should the Rs 500/- per year certificate of Safescrypt be invalid?
Is there not a case for making simple e-mail verified Certificates
valid in law and affordable at a low price so that public will get digital
certificates at Rs 500/- or Rs 250/- per annum and not at Rs 15,000/- per annum?
SafeScrypt Offers
At present SafeScrypt offers three types of personal certificates
categorized as Class 1, Class 3 and Class C.
Class 1 Certificates:
The SafeScrypt Class 1 Personal Digital Certificate or ID
is the entry-level personal digital certificate. According to the Company,
these certificates enjoy global interoperability as they are recognized as a
valid certificate by any installed browser around the world.
These certificates are issued against proof of having
control of a valid e-mail account. For the very same reason, these certificates
are recommended primarily only for securing e-mail messages.
These certificates cost Rs 500/- per year.
The Company however states as follows:
"Please note that Class 1 Personal Digital ID’s do not
validate the identity of the subscriber and therefore may not qualify as
Persona-verified Digital Signature Certificates under the Indian IT Act 2000".
Class 3 Certificates:
The SafeScrypt Class 3 Personal
Digital Certificate is declared by the Company to be recognized as a
legally valid Digital Signature Certificate that can be used to Sign any
document digitally in lieu of a physical signature in India.
It is issued after what the Company calls as a rigorous validation process. The
validation process consists of an ID attestation by a Banker. For this purpose
the applicant will be required to provide three (3) forms of identifications to
the Banker, for him to complete the attestation.
They must be in the following format;
a) 1 widely-recognized, government-issued Photo ID such as a Driver's License or
Passport and
b) 2 different types of identification (photo not required) such as a valid
national credit card, government-issued ID (voter-id card), employee ID, utility
or tax bill , or insurance card.
The type of valid ID's that the banker may use to identify the individual can be
one or more of the following, and must preferably be a photo-ID;
* Driving license
* Passport
* Photo credit card
* Voter ID card
* PAN card
* Employee ID in the case of a public sector or government employee
The Banker is required to examine the three forms of I D presented to him and has
to enter the details of the same on the same Banker Attested Letter.
It is not clear if the Company has made any arrangement with Bankers to provide
such attestation nor they pass on any fees to the Bankers.
In all probability, the customer may have to pay a fees to the Banker for the
attestation.
SafeScrypt on the other hand charges Rs 15,000/- per annum for the certificate.
The total cost to the subscriber is therefore RS 15000/- per annum + Bank
Charges.
Class C Certificates:
This certificate is similar to the Class 3
certificate except that it is not linked to any international root certificate
and hence may not be recognized outside India.
This certificate costs Rs
5000/- per annum.
Going through the three offerings, if any Indian wants to
hold a digital identity which can empower him to enter into digital contracts on
an international domain, he needs to spend Rs 15,000/- per annum and go through
a procedure which may take a couple of days to complete.
It is extremely
doubtful if any Netizen in India considers RS 15000/- per annum as a reasonable
price to pay for the digital identity.
If the class I
certificate available at Rs 500 per annum is not going to be valid in law,
it is better for consumers to look for Thawte certificate which can even be
obtained free of cost.
The TCS Offers:
TCS also offers three types of Certificates identified as Class 1, 2 an 3 priced
at Rs 500/- 1000/- and 2000/- per annum for individuals.
All the
certificates are renewable after one year though the Certification Practice Statement of TCS has omitted
to indicate the validity period of Class I certificates.
The
validation procedure for Class 1 in SafeScrypt and TCS are both e-mail based. However,
unlike Safescrypt, TCS does not state if these certificates are invalid in law
in India though it puts the users on guard about the identity not being
verified.
While an online application would suffice at
Safescrypt, TCS may require a prior direct or postal contact with the RA even
for Class I certificate.
Class 2 certificate of TCS is issued
to employees of organizations whose head is entrusted with the responsibility of
identification of the applicant as a Registration Authority (RA). These
certificates are issued only for use in the corporate environment of the
employer.
Class 3 certificate is for individuals who are
identified through a physical presence with a RA along with the identification
documents. This is similar to the Class C certificate of SafeScrypt which costs
Rs 5000/-.
TCS offers a "Dual Key" system where one set of
private-public keys are used for digital signature and another set for
encryption of the document.
As regards international
acceptability, TCS may suffer from its root certificate not being recognized at
present by the leading browser/e-mail client applications.
Until then, the public trying to verify the validity of the certificate may be
presented with an alert message by the application. This problem is not there
for SafeScrypt since the collaborator M/S Versign has its root certificate
embedded in most of the applications. (Hopefully, TCS would also get its
root certificate embedded with IE and Netscape)
The IDRBT Offers:
IDRBT has three offerings at Rs 250/-, Rs 1000/- and Rs 10,000/- per
annum.
The first offering of Rs 250/- corresponds to the RS 500/- offering of
Safescrypt. IDRBT however certifies that this certificate is valid under
ITA-2000.
The renewal fees after an year is as low as Rs 100/-.
The renewal fees on the other types of Certificates is also lower than the
first year price.
IDRBT certificates will also have
the same problem as TCS in getting its root certificate embedded in
applications.
Hence the digital certificates of IDRBT (Both RS 1000 and Rs 10,000 variety)
will be similar to Class C certificates (Rs 5000/- type) of SafeScrypt. The
validation process of IDRBT in case of Class 2 (Rs 1000/-) would be based on
the subscriber sending of some documents by mail. The validation process for Class 3 (IDRBT)
certificate of Rs 10,000/- p.a. would be similar to the SafeScrypt Class 3 and
Class C certificates requiring the applicant to physically present himself
before a Registering Authority (RA).
The RA s under IDRBT system are defined
to be officials not below the rank of DGM s of Banks, FI s and RBI and would be
appointed after a certain process. In practice, it means that a Bank desirous of
designating one of its DGMs as a RA should request for the appointment with
IDRBT.
( It is debatable if the DGM s will be prepared to act as a RA and if
so whether a brief stint as a RA would be considered as an experience relevant
for accelerated promotion to the GM cadre. The functioning of RA has some
personally dischargeable responsibilities which most of the DGMs of today
may consider as an avoidable liability.
Also the RA
responsibility is better discharged as an organizational responsibility and it
would have been better if IDRBT had thought of appointing Banks as RA s rather
than DGMs at personal level. In such a case the concerned bank could have
created a suitable personal cadre of officers capable of discharging the
function of identification etc. Unless the ID responsibility is brought
down to the Branch Manager's level the system is likely to be a non starter.)
IDRBT also offers a "Dual Key" system where one set of private-public keys are
used for digital signature and another set for encryption of the document.
(Since presently the IDRBT
Certificates for individuals are issued onto to the Employees of Banks, the comparison with
SafeScrypt is only for academic purpose.)
What are the Requisites for a Valid Digital Certificate under ITA-2000:
It is intriguing for a Netizen to note that SafeScrypt says that its E-Mail
certificate (Class I) may not be valid under ITA-2000 while IDRBT states that a
similar certificate issued by it would be valid and TCS is silent in this
respect.
There is a small difference between the different
certificates in the sense that IDRBT says that it will verify the "Postal
Address" besides the e-mail address while SafeScrypt only verifies the e-mail
address for this class of certificate.
Similarly IDRBT and TCS use the services of RA which is
not provided for by ITA-2000 though a mention can be found in the Rules. Also IDRBT and TCS
use dual key system which was a post ITA-2000 innovation.
Legal Validity of "Persona Not Verified" E-Mail Digital Certificates:
Let us therefore briefly look at some of the provisions of ITA-2000 to
understand the legal position of Class I E-mail Digital Certificates.
According to ITA-2000, Section 2 (p) and 2 (q),
"Digital Signature" means authentication of any electronic record by a
subscriber by means of an electronic method or procedure in accordance with
the provisions of section 3;
"Digital Signature Certificate" means a Digital Signature Certificate
issued under sub-section (4) of section 35;
According to Section 3,
.. any subscriber may authenticate an electronic record by affixing
his digital signature and such authentication of the electronic record shall
be effected by the use of asymmetric crypto system and hash function which
envelop and transform the initial electronic record into another electronic
record
According to Section 2 (zg), "Subscriber" means a person in whose name the
Digital Signature Certificate is issued.
In any of the requirements mentioned in ITA-2000, before
issue of Digital Certificate, it has not been stated that address verification is
mandatory. The process of verification is entirely left to the Certifying
Authority.
In the model Certification Practice Statement provided by
the Ministry of Information Technology, Class I certificate is clearly
identified with the persona not verified e-mail certificate while Class II is
identified with document based verification and Class III is linked to
physical presence of the applicant before the Certifying Authority.
The requirement of an address verification is only a self
imposed condition of the Certifying Authority. If therefore SafeScrypt issues
a digital certificate after verifying only the e-mail ID and noting the name
as "Persona not validated", it is difficult to say that the Certificate would
be invalid.
Rather the subscriber is making a declaration of his name
and is bound by the clauses of punishment envisaged for false information
provided (Sections 71 and 73). It is open to the recipient of an e-mail sent
under such an ID to either accept or reject the identity based on that digital
certificate .
We must also remember that even a "Persona Validated" digital certificate issued
by a Certifying Authority not licensed in India would be held invalid under
Indian law even though technically it satisfies all the requirements of a
legal transaction. It is therefore only fair that if the law provides for issue of
digital certificates with "persona not validated" , and there are users who
want to use it, they must be allowed to use them since it is only these
certificates that come at an affordable price.
Hence SafeScrypt may re-examine whether it is necessary to
declare that their Class I certificates are invalid under ITA-2000. By making
a statement that the certificate is not valid in law, they are putting the
consumers under a sense of doubt as to the validity of such certificates
including those issued by IDRBT.
Is a Digital Certificate a Digital ID or a Non Digital
ID?
While discussing the legal validity of digital
certificates, yet another conceptual dilemma we face is whether
a digital certificate is issued for a digital identity or for a meta society
identity.
If a Digital Certificate is issued for a meta society
identity, then is it necessary to link it to a e-mail ID? Can we not give the
subscriber the freedom to use the same Digital certificate whichever e-mail ID
he would like to use?. Further is it not then mandatory that the Digital
Certificate contains in its name field, the sex, age and address also?
(Presently only the name is mandatory).
On the other hand, if a Digital Certificate is for
certifying the Digital identity of a person in the Cyber World, it is
sufficient to check the validity of only the e-mail ID and issue it without
the validation of the physical identity.
This would then mean that any person entering into a
contractual deal based on such a certificate cannot proceed against the person
in a court of law unless he establishes the link between the e-mail ID
and the physical identity of the person.
If any person tries to obtain a digital certificate in a
false name then the penal provisions of the law should be a sufficient
deterrent and action can be brought on such a person any time even if he does
not commit any fraud.
In the present system, it is possible for two persons to
occupy the same physical address either at the same time or at different times (Say in
a shared accommodation or rented accommodation) but no two persons get the same e-mail ID
(unless ISP s change the rule). Hence the digital ID is more unique than the
physical ID.
It appears therefore that issuing a digital certificate
without validating the physical address is not a serious flaw that should bar
such certificates from validity.
Hence there is a case for promoting use of such
Certificates so that public will get digital certificates at Rs 500/- or Rs
250/- per annum and not at RS 15000/- per annum. If this requires a
clarification or an explanation in ITA-2000 itself, it should be provided at
the earliest.
Naavi
December 16 , 2002
