In this interview, N Vijayaditya, Controller of Certifying Authorities, points out that central to the growth of e-commerce and e-governance in the country is the issue of trust in the electronic environment. He feels that the future of e-commerce and e-governance depends on the trust that the transacting parties place in the security of transmission and the content of communication. Excerpts:
What is the role of Controller of Certifying Authorities play and why it was setup?
The office of Controller of Certifying Authorities was established under the Information Technology Act 2000, section (17) to, regulate Public Key Infrastructure in India. The main functions include Licensing of Certifying Authorities(CAs), certifying public keys of CAs, laying down the standards to be followed by CAs, Auditing the operations of CAs, resolving conflicts between CA and subscriber and also to facilitate and promote e-governance and e-commerce application. Under IT Act, the licensed CAs issue Digital Signature Certificates to subscribers to enable them to carry out secure electronic transactions.
What concerns does a digital signature address?
In the physical world, one can easily identify a copy from original. Further when one signs a document, it is legally accepted that he or she fully understands the contents, agrees with it and endorses it. These issues among others are addressed with DSC in the cyber space.
Digital signature is a mechanism in the electronic world which gives legal sanctity to the contents under IT Act. Use of Digital Signature in electronic transaction facilitates the authentication of transacting parties. Further it prevents the possibility of fraud being committed as the digital signature is unique to the document and the signer. The electronic transaction involves communication and authentication of the transacting parties. Verifying Digital Signature involves authentication of signer and confirmation of document integrity. The PKI for digital signatures provides a trustworthy mechanism for ensuring authentication and integrity. The added advantage of PKI is that the signer cannot repudiate a digitally signed transaction.
“The office of the Controller of Certifying Authorities was established under the Information Technology Act 2000 to facilitate and promote e-governance and e-commerce applications.”
Who will be the potential beneficiaries of such system?
All those users who perform e-commerce and e-governance transactions will benefit from such a system. Such systems have significant administrative savings opportunities without compromising security and legal requirements. The beneficiaries include the service providers as well as the citizen who make use of egovernance services, transacting parties in e-commerce, inter-banking and internetbanking transactions, e-tendering system, medical and health system, land records and archival system, education and elearning system, Judiciary, law and enforcement agencies etc. In short any electronic transaction system can be made authentic, reliable and legally tenable.
Today, we are seeing an increasing use of mobile based transactions, given their role in promoting financial inclusion. What is the CCAs role in this context?
Since the mobile is also a computer, the principle applicable for securing transaction in computer communication systems can also be made applicable to mobile based transactions. The certificate based identity and digital signature based integrity can be used in the mobile based transactions also. The limitation of computing resources of a mobile can be removed by delegating some functions to secured servers.
As far as Internet banking is concerned, today it is mainly taking place in urban environments. But when it comes to remote areas, people do not have good access to servers. The mobile service which has a very good reach in remote areas could be an important means to serve this need. To ensure secure mobile based transaction, the office of CCA has explored various options. Mobile with additional crypto SIM card, memory card as Cryptographic token, and pre loaded keys in the SIM cards, and proxy SIM cards are some of them. The proxy SIM is found to be more appropriate as it is independent of Internet service providers and can be issued by application owners like banks or Government. Further it can be inserted in any mobile phone. It can be integrated with the SIM card so that users can digitally sign and perform secure electronic transaction.
Can you elaborate the digital signature standards or mobile standards for banking etc?
Trust on electronic transaction is based on the underlying standards and stringent procedures that are followed. Information Technology Act has specified standards for digital signature. These standards are regularly reviewed by the office of CCA. In order to meet the emerging technology requirements and to withstand the security threats, CCA adopts standards approved by international bodies. Similarly the obsolete and weakened standards are being phased out in a systematic manner. Uniform standard across the egovernance applications is a crucial factor for achieving interoperability.
What steps is the CCA taking to promote egovernance and enable better usage of government services that are being made available?
As far as e-governance is concerned, the objective is to provide reliable government services anytime and anywhere at the door step of citizens. It has to reach the unreachable. Egovernance applications need to verify the validity of the certificates issued to individuals while providing the egovernance services. The Office of CCA is in the process of setting up a centralised Online Certificate Validation source for all certificates issued by all Licensed CAs in the country to facilitate status and validation checking. Further it has reviewed the use of DSCs in all the applications. Based on this review it has prepared interoperability guidelines. A Digital Signature Certificates Interoperability Guideline and application developer guidelines have been issued to promote interoperability.
To enhance the hassle-free use of webbased applications and as an alternate means of publishing the Trusted Root Certificate of India PKI, the Office of CCA is working with various web browser publishers to ship India PKI Root CA certificate along with their browser or to get update from the their root certificate store.
What kind of challenges have you faced?
One of the functions of CCA is to ensure the standards which are prescribed are fully adopted. The compliance of these standards, practice and procedures are to be audited at regular intervals.
The private key, which is used to create digital signature should be in the safe custody of subscriber. Due to lack of awareness of the consequences of misuse of private key, subscribers do not give enough importance to the safe custody of tokens/devices containing the private key. The Office of CCA regularly conducts awareness programs in different parts of the country to create public awareness about digital signatures.
Several large applications, especially in banking and insurance sector are still to adapt to Digital Signature Certificate based secure transaction in their citizen services. We are trying to create awareness amongst various application providers by convincing them of the role of trust in the transaction and legal advantage of using digital signature.
Further there were issues relating to the interoperability. The certificates issued by different Licenced CAs were not acceptable to some applications due to lack of uniform certificate field’s usage. We have been able to tackle this issue by issuing interoperability guidelines.
Some of the application providers feel that DSCs are inconvenient. Nationwide training programs are being conducted to create awareness among application users and providers.
The CCA must be having huge data repository…
As per CCA guidelines, Licensed CAs issue certificates to subscribers with a maximum period of validity of two years to ensure safety of keys which is used to digitally sign a document. As of Dec 2009, approximately 1.4 million certificates have been issued for use in a variety of applications. We are looking at a target of 10 million in the next one year. so that more people can reap the benefit of trustworthy electronic transaction. Digital Signature is the only mechanism that provides the non-repudiability, integrity and identity of an individual in cyber space as of today. While CCA keeps the certificates of certifying authorities, the repository of the Digital Signature Certificates issued to subscriber, is maintained by CAs.
We are in the process of setting up a centralised Online Certificate Validation System where all Certificate Revocation List(CRL) issued by certifying authorities can be stored at one place to enable applications to access this particular facility to verify the signatures.
“We have specified certain standards to be maintained by all certifying authorities that issue the digital signature certificates to individuals to be stored properly and securely. The standards for private key generation, its storage, and the signing and verification process have been defined by the CCA and it is mandatory for all agencies to follow them.”
What are the changes that have been introduced by the amendment to the IT Act? For example, you said that the NRDC does not exist?
In order make the Act technology neutral, government introduced new term Electronic Signatures with well defined signature properties. As on today, PKI based digital signature is the only one which satisfies the signature properties. The use of new technologies of the Electronic Signature, as and when approved, will be notified through the Rules under the IT Act.
Section 20 of IT Act 2000 which mentioned the Controller to act as repository of DSCs has been omitted in the amendments of IT Act of 2000. The Office of CCA will continue to maintain the certificates issued to CAs and the corresponding Authority Revocation List.
The Cyber Regulation Appellate Tribunal has been made to be multimember and have various benches which were earlier restricted to single member.
So, when it comes to the larger issue of information and national security, what role do you see CCA playing?
One has to remember that security in the cyber space is dynamic and sensitive. With IT playing increasingly an important role in the India economy, we have to ensure that all e-transactions are trustworthy and can be depended upon. The IT Act seeks to create a secure mechanism of protecting electronic transaction both in the ecommerce and e-governance space.
Ensuring the vital information is accessible only to those authorised, is essential for national security. PKI based system can provide certificate based authentication and high level encryption to communicate information. To enable confidentially, the office of CCA will work with Department of Information Technology to lay down the policies for the issuance of encryption certificates and key escrow mechanism.
Inclusion is the first magazine dedicated to exploring issues at the intersection of development agendas and digital, financial and social inclusion. The magazine makes complex policy analyses accessible for a diverse audience of policymakers, administrators, civil society and academicians. Grassroots-focused, outcome-oriented analysis is the cornerstone of the work done at Inclusion.