Inconsistencies in the CCA guidelines need to be clarified

Posted on December 20, 2015 by Vijayashankar Na

I recall my earlier article titled “Is it a WhatsApp Moment or Napster Moment for Indian Financial System?”  in which I had pointed out certain doubts about the legality of the new Electronic Signature system that was notified by the Government of India and Controller of Certifying Authorities vide the notification dated 28th January 2015  read with guidelines issued by CCA in June 2015 on the e-Sign process.

(Detailed presentation by CCA on e-sign process)

I have not so far received any response from CCA and hence I am re-iterating some of the points mentioned in that article briefly and request CCA to clarify.

I refer to the “E-authentication guidelines for e-Sign-online Electronic Signature Service”  Version 1.0 issued by CCA on 24th June 2015.

This guideline has been issued in support of the Gazette Notification GSR 61(E) dated 27th January 2015 which the Government made in support of its Digi Locker program which introduced a new “Electronic Signature” system by an addition in the Second Schedule  of ITA 2000/8.

The second schedule introduced the system which it called  “E-authentication Technique using Aadhar e-KYC services”.

Details of Aadhar e-KYC services is at the UIDAI website Under this scheme,  UIDAI acts as an “enabler” by issuing a “digitally signed Govt issued photo ID” in electronic form for KSAs/KUAs supporting paper-less KYC schemes for Aadhaar holders (KSA or KYC Service Agency means  a valid Authentication Service agency with a secure leased line connectivity to UIDAI’s data center who has been approved and has signed the agreement to access KYC API through their network. KUA or KYC User Agency means  a valid Authentication User Agency, which is an organization or an entity using Aadhaar authentication as part of its applications to provide services to residents such as a Bank who has been approved and has signed the agreement to access KYC API.

e-Authentication Service introduced in the second schedule as a valid electronic signature is dependent on the e-KYC service of UIDAI which itself uses the digital signature.

According to the proposed system as described in the GSR 61(E) of 28th January 2015, the application form of a subscriber would be sent by a trusted third party to the Certifying authority for issue of digital certificate. In the case of Digilocker kind of on-line system, the application submission would be an “On-line” process using an API. The details submitted by the subscriber would be verified by the Aadhar e-KYC service.

In this process, an “Undigitally signed” application of the subscriber would be forwarded by the trusted third party to the certifying authority with the aadhar number. The certifying authority would get the digitally signed confirmation of the aadhar information from the aadhar e-KYC service based on which it would proceed to issue the digital certificate. (This will be subsequently consented to online by the subscriber)

The unanswered question is

If the subscriber’s application and consent is done online without a digital signature, what is the validity of the digital signature certificate issued on the basis of such unauthenticated digital submissions?

The detailed procedure for issue of digital certificate is indicated in the CCA guideline of 24th June 2015.

The CCA guideline suggests that the private-public key pair would be generated on a HSM owned by the intermediary (the trusted third party mentioned in the Gazette notification), the private key is stored in the HSM for the validity period of 30 minutes and later destroyed. All these activities are done under systems which are not under the control of the subscriber. Hence it should be considered that the private key has been compromised ab-initio.

Secondly, the authentication process of approval of the application would be based either on “Biometric” or “OTP”. (OTP is presumed to be mobile based or e-mail based). If the approval is based on OTP, it means that the approval of the application form is dependent on the KYC already done by the mobile operator or the e-mail operator. If the e-mail approval is obtained, then there is no authentication for the application form. If the mobile OTP is used, it is as good or bad as the mobile operator’s KYC system.

The CCA circular says that the DSC application form should be electronically generated and programmatically filled up with the data obtained from the e-KYC process. This means that just by submitting the Aadhar number and confirming the OTP, the DSC application gets submitted without an “Digital Signature”. Hence it is an unsigned DSC application that gets the approval of the Certifying authority.

The entire process is a circular mutually authenticating procedure dependent on the KYC of the mobile operator only.

CCA should review this process and confirm if it is in accordance with the provisions of ITA 2000/8.

Naavi

P.S: This note has to be corrected for the notification made on 30th June 2015 [GSR 539(E)] where in the use of hardware module has been deleted from the earlier notification.

About Vijayashankar Na

Naavi is a veteran Cyber Law specialist in India and is presently working from Bangalore as an Information Assurance Consultant. Pioneered concepts such as ITA 2008 compliance, Naavi is also the founder of Cyber Law College, a virtual Cyber Law Education institution. He now has been focusing on the projects such as Secure Digital India and Cyber Insurance
This entry was posted in Cyber Law. Bookmark the permalink.

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.