Let's Build a Responsible Cyber Society



Misconceptions About Electronic Signature

During the recent discussions with several informed members of the public, there appeared to be widely prevailing misconception about the provision of Section 3A of ITA 2008 regarding "Electronic Signatures".

It appears that people have misinterpreted the term "Electronic Signature" to mean any form of authentication other than "Digital Signatures". Some are speaking as if "Click Wrap" agreements will now be recognized. Some Bankers are on the prowl to seize any opportunity to get the 2-Factor authentication itself as digital signature as they tried during the G Gopalakrishna Working Group discussions.

In notifying the Section 43A and Sec 79 rules, the Government has shown that it can try to introduce legislations which are ultra vires the Act and draft the notifications in such a way that it can be misleading and misinterpreted as to its convenience. I was alarmed by the revelation that even some organizations such as the PKI forum seem to hold a view which may not be fully correct.

 Let's therefore explore this new section introduced in ITA 2008 a little more in detail.

Sec 3A:  Electronic Signature

 (1) Notwithstanding anything contained in section 3, but subject to the provisions of sub-section (2), a subscriber nay authenticate any electronic record by such electronic signature or electronic authentication technique which-

(a) is considered reliable ; and

(b) may be specified in the Second Schedule

 (2) For the purposes of this section any electronic signature or electronic authentication technique shall be considered reliable if-

(a) the signature creation data or the authentication data are, within the context in which they are used, linked to the signatory or , as the case may be, the authenticator and of no other person;

(b) the signature creation data or the authentication data were, at the time of signing, under the control of the signatory or, as the case may be,the authenticator and of no other person;

(c) any alteration to the electronic signature made after affixing such signature is detectable

(d) any alteration to the information made after its authentication by electronic signature is detectable; and

(e) it fulfills such other conditions which may be prescribed.

 (3) The Central Government may prescribe the procedure for the purpose of ascertaining whether electronic signature is that of the person by whom it is purported to have been affixed or authenticated

 (4) The Central Government may, by notification in the Official Gazette, add to or omit any electronic signature or electronic authentication technique and the procedure for affixing such signature from the second schedule;

Provided that no electronic signature or authentication technique shall be specified in the Second Schedule unless such signature or technique is reliable

 (5) Every notification issued under sub-section (4) shall be laid before each House of Parliament

 It is clear from the above that GOI in trying to make the authentication system  "Technology Neutral" introduced Section 3A as an "Enabling Provision" so that new technologies as and when available can be used to define additional methods of authentication.

It is however necessary that such a new technology needs to be codified into the CPS of a licensed Certifying authority and Gazette Notified to be added into Schedule II of ITA 2008.

Before such an approval can be given first by the CCA and then by the Parliament, it is necessary for the electronic signature system to satisfy the sub section (2) of Section 3A.

If the Government tries to introduce any notification which is not in accordance with sub section (2) of Section 3A, it is likely to be questioned in Courts. The fact that the rules of April 11, 2011 is being challenged both in the Courts as well as in the Parliament itself should be a pointer for the DIT to avoid another confrontation which may lead to the questioning of all the amendments passed in a hurry in the Parliament without any debate.

 The first criteria to be satisfied by an "Electronic Signature" is that it should create a "Signature Creation Data" and link it to the signatory in such a manner that the linkage is unique and may be proved as not being linked to any other person.

Secondly, such data should be under the control of the signatory and no body else at the time of signing.

These two criteria correspond to the use of Private key in the encryption of the hash value in the current system of digital signature.

The third criteria to be fulfilled is that any alteration to the electronic signature (We suppose this should mean the document beign authenticated) made after affixing such signature is detectable.

This criterion corresponds the functionality of the "hash Algorithm" used in the digital signature system.

Additionally if any other conditions are prescribed, they also shall be fulfilled.

It is clear from the above that for any authentication system to be considered as "Electronic Signature", it must have the two properties represented by the hashing and asymmetric crypto system. There must be a mechanism to identify any change of data after the signature is affixed and some data exclusively under the control of the signer should be part of the signature.

At present there does not seem to be any known technology of this type anywhere in the world other than the PKI based digital signature system. Hence the possibility of any other system being considered as "Electronic Signature" in replacement of digital signature is remote.

The Click Wrap system does not fulfill any of the three conditions mentioned above. Even the SSL system does not satisfy the conditions as the signer is not in control of the exclusive "key". The two factor authentication  including those which use mobile devices donot conform to any of these requirements.

If any person is under the illusion that there are legally accepted form of authentication to the electronic documents as an alternative to digital signatures, they are of course mistaken.

However due to the peculiar decision given by the Adjudicator of Karnataka in one of the judgments, even the validity of digital signatures as a form of legally accepted authentication becomes legally questionable. CCA has not been able to take steps to annul the decision of the Adjudicator and DIT by not appointing a presiding officer for the CAT has prolonged the crisis of authentication unmindful of the consequences on the public.

Related Article:


April 30, 2012

[Comments welcome]