CHRIST (Deemed to be) UNIVERSITY,

LAVASA CAMPUS

E-signatures

PRESENTED BY:
Hemang Wadhwa
((20113122)
BBA LLB (H)
 E- Signatures and Digital Signatures

Laws overview/background

Conditions for validity

INDEX Cryptography & PKI

How PKI works

Rules under IT Act, 2000

Functions of CCA under IT Act 2000

Duties of CA

Powers of CCA
Tip: Kindly jot down the key pointers from
the speech, the ppt on contains pointers.
ESC & DSC
How: Listen and write.

Contains of e-certificate
Digital
signatures and
E- signatures
Digital signatures
A signature is a symbolic and
essential representation of
one’s identity.
E-Signatures
The European Union Regulation
910/214 defines and regulates
electronic signature as “in
electronic form which is
attached to or logically
associated with other data in
electronic form and used by the
signatory to sign”
Laws Overview Back to Index

International law Indian Evidence

IT Act Other Rules
UNCITRAL Model Act

Article 6 of the UNCITRAL Sec 2 (1)(ta) Definition of

Model law: e- signature
Section 65-B of the act
sec 2 (p) Definition of
makes the e-signature
Reliability Digital signature
admissible in Courts.
Retraceable Sections 17 to 34 of Digital Signature (End Entity)
Section 67 A of the Indian
Controllable Chapter VI of the Act. Rules, 2015
Evidence Act, 1872
Section 3A based on Art. 6 Information Technology (Use
propounds that the
Definition According to US of UNCITRAL Model of Electronic Records and
signatory has to prove
Federal ESIGN Act: Section 4 & 5 gives legal Digital Signature) Rules, 2004
that the e-signature
“Electronic sound, symbol, or recognition to electronic Information Technology
belongs to him/her in any
process, attached to or records. (Certifying Authorities) Rules,
case wherever the
logically associated with a Section 10Agives validity 2000
dispute regarding e-
contract or other record and to contracts formed
signatures arises
executed or adopted by a through electronic
person with the intent to sign means.
the record.”
Conditions 1.The signature creating data and
the authentication data should be
3. Any changes or alterations that
are made after affixing the e-

for validity
linked to the signatory or the signature or data are detectable.
authenticator and not to any other
person.

2. The data for generating the e- 4. It is issued by a Certifying

signature should be at the time of Authority based on e-
signing in the control of the signee. authentication specified in Form C
of Schedule IV of the Information
Technology (Certifying Authorities)
Rules, 2000.

1.A negotiable instrument 3. A trust as defined

other than cheques as
defined under section 13 of
under section 3 of the
Indian Trust Act, 1882
Not
the NI Act, 1881.

2. A Power of Attorney as 4. Any contract of sale,

applicable
defined under section 1A
of the Power of Attorney
lease or conveyance of
immovable property or in the
Act, 1882 any interest in such
property.
following :
5. A will as defined under section 2 (h) of
the Indian Succession Act, 1925 including
any other testamentary disposition.
CRYPTOGRAPGY
There are numerous techniques employed all over the world to make e-signatures, UNCITRAL model prescribes a list of valid techniques.
The basic technology at work in designing e-signatures is of cryptography. Cryptography is the widely used phenomena to secure
important messages and has been in use for a long time. Under cryptography, the message that needs to be preserved is encrypted or
codified into a format which is unreadable for the ordinary people and only the individual having the requisite know-how of decrypting
the code can read it.

In addition to encryption, cryptography (particularly asymmetric cryptography) can be used to verify the identity of a user and guarantee
the integrity of the data. This is possible through the Digital Signature.
It is important to clarify the difference between an electronic signature and Digital Signature. The electronic signature can be any type of
file, image, logo, or digitized handwritten signature that serves to identify a user but does not use any type of cryptography or
sophisticated algorithm for its generation

PKI digital signature is integrated in an encrypted way by complementary information that is sent along with the signed message. The
algorithms that are used for the generation and verification of the message are the following:

Generation of random numbers

Generation of cryptographic keys using an asymmetric encryption algorithm
Cryptographic hash function
Digital signature algorithm
Digital signature verification algorithm.
Techniques to
make Digital Asymmetric Cryptography

Signatures via Method

This method also makes use of

cryptography two keys, the public and the

private key and both the parties
have both the keys. The public key
Symmetric Cryptography is accessible to the public at large
Method while the private key is accessible
The symmetric cryptography only to the concerned user. This
method makes use of only technique is used in government
one key to preserve the welfare programmes and
messages (similar copies of company schemes with customers
it may be Made). The sender where a single party deals with
and the receiver both have many different people.
same keys and so only two
parties can read the
message. This method is
widely used in business
contracts that take place
online, where there are only
two parties concerned.
 Public Key
Infrastructure
(PKI)
The PKI method is the most
prevalent and one of the legal
techniques of designing E-signatures
today and is widely followed in
various countries of the world
including USA and Germany. The key
technique makes use of two distinct
keys in the formation of e-
signatures. These are public and the
private keys.
HOW DO
PKI WORK?
In the process of generating a digital signature, the private key of the
issuer of the message is used. During the verification process, the On the other hand, it is equally important that the
public key of the issuer is used. receiver can verify the electronic signature to
For the generation of the digital signature, the hash function of the authenticate the veracity of the authorship of the
message to be sent is calculated. Remember that a cryptographic message. For this, the electronic signature verification
hash function allows inputs of varying data lengths to be procedure is carried out as follows:
transformed into a fixed-length string, called a hash value. The most
important property of hash functions is that very small changes to
the input values produce a completely different value as the output, 1. The issuer’s public key is obtained
thus making it very difficult to find collisions. 2. From the hash value of the document,
Returning to the digital signature, the hash of the message that is to
the signature verification algorithm is
be authenticated with the electronic signature is one of the values
used to form the signature. In summary, the procedure for signature
executed using the issuer’s public key
generation is as follows: and the electronic signature itself
3. The result of the algorithm must be yes
or no based on whether the verification
A random number is generated
The random element of the signature is succeeds or fails
calculated from that random number
The hash value of the document to be signed
is calculated
Using the issuer’s private key, the random
element, document’s hash value, and the
electronic signature is generated.
RULES UNDER IT ACT, 2000
Application for licence (Rule 8): The following persons may apply for grant of licence to
issue electronic signature certificate :An individual, being a citizen of India and having a
capital of ` 5 crore or more in his business or profession:
Did you know: The
Govt. of India recently 1. A company having (i) paid up capital of not less than ` 5 crore, and (ii) net worth of not less
launched a E(sign) than ` 50 crore ; However, the company in which the equity share capital held in aggregate
Programme.
by the non-resident Indians, foreign institutional investors, or foreign companies, exceeds
That's a e-signature
linked to your Adhar 49% of its capital, shall not be eligible for the grant of licence ;
card. 2. A firm having capital subscribed by all partners of not less than ` 5 crore and net worth of
not less than ` 50 crore ; However, the firm, in which the capital held in aggregate by any
non-resident Indian and foreign national, exceeds 49% of its capital, shall not be eligible
for grant of licence ;
3. Central Government or a State Government or any of the Ministries or Departments,
Agencies or Authorities of such Governments.

Tip: RULES are not a part of syllabus as per course plan but a good way to earn some extra marks during exams. :)
RULES UNDER IT ACT, 2000
1. Submission of application (Sec. 22 and Rule 10): Every application for the issue of a
licence shall be in such form as may be prescribed by the Central Government and shall
be accompanied by :
can ignore this
a. A Certificate Practice Statement (CPS) ;
while revising if b. A statement including the procedures with respect to identification of the applicant ;
your brain is
overheating. :p
c. Payment of non-refundable fee of ` 25,000 ;
d. Such other documents as may be prescribed by the Central Government.
2. Validity of licence (Rule 13): A licence shall be valid for a period of 5 years from the date
of its issue and the licence shall be non-transferable or non-heritable.
3. Issuance of licence (Sec. 24 and Rule 16)
4. Renewal of licence (Sec. 23 and Rule 15): An application for renewal of a licence shall be
a. in such form as prescribed by the Central Government
b. accompanied by payment of non-refundable fee of ` 25,000 and
c. made not less than 45 days before the date of expiry of the period of validity of
licence.
5. Suspension of licence (Sec. 25 and Rule 14): No Certifying Authority whose licence has
been suspended shall issue any electronic signature certificate during such suspension
[Sec. 25(3)].
PROVISIONS UNDER IT ACT, 2000
Introduction
Sections 17 to 34 of Chapter VI of the Act provide for the Controller of Certifying Authorities (CCA) to licence and
regulate the working of Certifying Authorities (CAs). CCA also ensures that none of the provisions of the Act are violated.
The regulation of certifying authorities or electronic signature infrastructure in India consists of :
Controller of Certifying Authority (CCA). The IT Act, 2000 provides for an appointment, functions, powers, duties
of CCA (the apex regulatory body for certifying authorities in India) and other officers.
Certifying Authorities (CAs). A certifying authority is a trusted third party or entity that will get personal licence
from the controller and will issue electronic signature certificate to the users of e-commerce. These authorities
will function under the supervision and control of the controller of certifying authorities.

Appointment of Controller and Other Officers

Section 17 provides that the Central Government may, by notification in the Official Gazette, appoint a Controller of
Certifying Authorities for the purposes of this Act. It may also be the same or subsequent notification appoint such
number of Deputy Controllers, Assistant Controllers, other officers and employees as it deems fit. The controller has to
functionunder the general control and directions of the Central Government and the Deputy Controllers and Assistant
Controllers have to function under general superintendence and control of the controller. The controller shall have its
head office at a place prescribed by the Central Government. There shall be a seal of the office of the controller.
PROVISIONS UNDER IT ACT, 2000
FUCTIONS OF CCA
1.To act as regulator of certifying authorities (Sec. 18);
To exercise supervision over the activities of CAs;
To certify public keys of CAs;
To lay down the standards to be maintained by CAs;
To specify the qualifications and experience for employee of CAs;
To specify the conditions for conducting business by CAs;
To specify the terms and manner for maintenance of accounts by CAs;
To specify the terms and conditions for appointment of auditors and their remuneration;
To facilitate the establishment of any electronic system as well as regulation of such system;
To specify the manner of conducting dealings by CAs with the subscribers;
To resolve any conflict of interest between CAs and the subscribers;
To lay down the duties of CAs;
To maintain database for every CA containing their disclosure record as well as such particulars as may be specified by
regulations, which shall be accessible to public.
2. To recognise the foreign certifying authority (Sec. 19): The controller, with the prior permission of the Central
Government and by notification in the Official Gazette, may recognise any foreign certifying authority for the purpose of this
Act [Sec. 19(1)].The controller may revoke such recognition by notification in the Official Gazette for reasons to be recorded
in writing [Sec. 19(3)].
PROVISIONS UNDER IT ACT, 2000
3. To grant licence to CAs to issue electronic signature certificate (Sec. 21): The controller can grant a licence to any
person to issue electronic signature certificate provided he applies and fulfils such requirements with respect to
qualification, expertise, manpower, financial resources and other infrastructure facilities which are necessary for the issue
of Electronic Signature Certificate [Sec. 21(1) and (2)].The controller may after considering the documents and such other
factors, as he deems fit, grant the licence or reject the application. He may reject only after the applicant has been given a
reasonable opportunity of presenting his case (Sec. 24).
4.To suspend licence (Sec. 25): The controller may suspend licence if he is satisfied after making an enquiry that CA has:
i. made a statement which is incorrect or false in material particulars in or relation to the application for the issue
or renewal of licence.
ii. failed to comply with terms and conditions necessary for granting of licence.
iii. failed to maintain standards specified in Sec. 30.
iv. contravened any provisions of the Act, rule, regulation or order made thereunder.

The notice of suspension or revocation may be published in the database maintained by the controller (Sec. 26).
DUTIES OF CERTIFYING AUTHORITY UNDER IT ACT, 2000

1.To follow certain procedures regarding security system (Sec. 30). The Act has laid down certain procedures relating to
security system to be followed by the certifying authority in the performance of its services. It must :make use of hardware,
software, and procedures that are secure from intrusion and misuse ;
provide a reasonable level of reliable services ;
adhere to security procedures to ensure the secrecy and privacy of electronic signatures ;
be the repository of all Electronic Signature Certificates ;
publish information regarding its practices, Electronic Signature Certificates and current status of such certificates ; and
observe the specified standards.
The above stated security procedures must ensure the achievement of 4 objectives of a security system : Confidentiality,
accessibility of information, consistency of information and authorized use of resources
2.To ensure compliance of the Act (Sec. 31). The certifying authority must ensure that every person employed or engaged
by it complies with the provisions of the Act, rules, regulations or order, made thereunder.
3.To display its licence (Sec. 32). The certifying authority must display its licence at a conspicuous place in the premises in
which it carries on its business.
4.To surrender its licence (Sec. 33). The certifying authority must surrender its licence to the controller on its suspension
or revocation
5.To make certain disclosures (Sec. 34). The certifying authority is required to make the following disclosures : (P.T.O --->)
DUTIES OF CERTIFYING AUTHORITY UNDER IT ACT, 2000

5.To make certain disclosures (Sec. 34). The certifying authority is required to make the following disclosures :
Disclosure of Electronic Signature Certificate ;
Disclosure of Certification Practice Statement (CPS) ;“Certificate Practice Statement” means a statement issued by a
certifying authority to specify the practices that the certifying authority employs in issuing electronic signature
certificates [Sec. 2(1)(k)]
It also outlines the CA’s policies, practices and procedures for verifying keys and suspension, revocation and renewal of
electronic signature certificates.
Disclosure of notice of revocation and suspension of Certificates of Certifying Authority ;
Disclosure of facts materially and adversely affecting the reliability of electronic signature certificate ;
Disclosure of adverse effects to affected person [Sec. 34(2)]. The authority is bound to disclose to affected person about
any event which may materially and adversely affect the integrity of the computer system or the conditions under which
electronic signature certificate was granted. The certifying authority is required to act in accordance with the procedure
specified in its CPS to deal with such event or situation.
POWERS OF CERTIFYING AUTHORITY UNDER IT ACT, 2000

1. Power to authorise in writing, the deputy or the assistant controller or any officer to exercise any of his powers (Sec. 27).
2. Power to investigate any contravention of the Act or rules or regulations made thereunder. [Sec. 28(1)].
3. Power to direct a certifying authority or any employee of such authority to take such measures or to cease to carry on
such activities if these are necessary to ensure compliance with the provisions of the Act, rules or any regulations made
thereunder [Sec. 68(1)].
4. Power to direct any agency of the government to intercept any information transmitted through any computer resource
if it is necessary in the interest of the sovereignty or integrity of India, security of state, friendly relations with foreign
state etc. [Sec. 69(1)].
5. Power to issue directions for blocking the public access of any information through any computer resource in the
circumstances given under point No. 4 (Sec. 69A).
6. Power to authorize to monitor and collect traffic data or information through any computer resource for cyber security
(Sec. 69B).
7. Power to make regulations for carrying out the purposes of this Act after consultation with the cyber regulatory advisory
committee and previous approval of Central Government. The regulations may pertain to the following :
a. Particulars regarding maintenance of database containing disclosure of record of every CA [Sec. 18(n)]
b. Conditions and recognition of Foreign Certifying Authority [Sec. 19(1)].
c. Terms and conditions for grant of licence to CA [Sec. 21(3)].
d. Standards to be observed by CA [Sec. 30(d)]
POWERS OF CERTIFYING AUTHORITY UNDER IT ACT, 2000

7.Power to exercise himself or through an authorized officer the following powers which are conferred on Income Tax
Authorities under Chapter XIII of the Income Tax Act, 1961 :

Power to inspect, enforce attendance of any person and examine him on oath,
Power to conduct search and seizure,
Power to requisite books of account,
Power to call for information,
Power to inspect and take copies of register of members or debenture holders,
Power to make inquiries.
Contents of Digital Signature Certificate
(Rule 7)
A digital signature certificate includes the following :

a. Owner’s name, organisation and location ;

b. Issuer’s name, organisation and location ;
Ways to get more
brownie points c. Date of issue and period of validity ;
during exams yayyy!! d. Serial number of the certificate ;
e. Signature algorithm identifier which identifies the algorithm used by CA to sign DSC ;
f. Public key of the owner ;
g. Date of expiry ;
h. The issuer’s public key and the digital signature.

Tip: RULES are not a part of syllabus as per course plan but a good way to earn some extra marks during exams. :)
E-Signature Certificate

According to Sec. 2(1)(tb) ‘Electronic Signature Certificate’ means “an electronic signature certificate issued under
section 35 and includes Digital Signature Certificate.”Digital Signature Certificates are the electronic equivalent of
physical or paper certificates (e.g., drivers’ licence, passport, membership card etc.). There are basically 3 types of
digital signature certificates : Class I, Class II and Class III and each having different level of security.
Classes of Back to index

Digital class 1 Class 2 Class 3

Certificate
Class 1: certificates shall be issued to individuals/private
subscribers. These certificates will confirm that user's
name (or alias) and E-mail address form an unambiguous
subject within the Certifying Authorities database.

Class 2 : These certificates will be issued for both

business personnel and private individuals use. These
certificates will confirm that the information in the
application provided by the subscriber does not conflict
with the information in well-recognized consumer
databases

Class 3 : This certificate will be issued to individuals

as well as organizations. As these are high assurance
certificates, primarily intended for e-commerce
applications, they shall be issued to individuals only
on their personal (physical) appearance before the
Certifying Authorities
PROCEDURE TO ISSUE ESC UNDER IT ACT, 2000

Procedures Relating to Electronic Signature Certificate (Secs. 35 – 39)

1.Issue of electronic signature certificate

Making of application. To obtain an electronic signature certificate, an application in the prescribed form shall be made
to the certifying authority. The application shall be accompanied :
a. by such fees not exceeding ` 25,000 as may be prescribed by the Central Government. However, the Central
Government may prescribe different fees for different classes of applicants.
b. by a ‘Certification Practice Statement’ or where there is no such statement, a statement containing such particulars,
as may be specified by regulations.
Grant of certificate. The certificate shall be granted only after the authority is satisfied about the information furnished
by the applicant. According to section 36 of the Act, a certifying authority has to make a declaration while issuing the
DSC that it has complied with the provisions of the Act and that it has fulfilled all other obligations relating to the
security of public and private keys of the subscribers. The subscriber has to convey his acceptance of the digital
signature certificate and its conditions in order to make it valid. A digital signature certificate (DSC) is normally granted
for 1 or 2 years, after which it can be renewed. (for clarification ESC is for 5 yrs)
Rejection of application. The certifying authority may reject the application for reasons to be recorded in writing.
However, no application shall be rejected unless the applicant has been given a reasonable opportunity of showing
cause against the proposed rejection
PROCEDURE TO ISSUE ESC UNDER IT ACT, 2000

1. Suspension of Digital Signature Certificate (Sec. 37). The certifying authority which has issued a digital signature
certificate may suspend such DSC in the following circumstances :
a. On the request of a subscriber or the person duly authorized by him. [Sec. 37(1)]
b. In public interest, if the certifying authority has formed such opinion.
c. However, such suspension cannot exceed a period of 15 days unless the subscriber has been given an opportunity
of being heard [Sec. 37(2)]. Further, the Certifying Authority shall communicate the suspension to the subscriber
[Sec. 37(3)].
2. Revocation of Digital Signature Certificate (Sec. 38). A certifying authority can revoke a DSC under any of the
following circumstances :
i. On the request of the subscriber or any other person authorized by him.
ii. On the death of the subscriber.
iii. On the dissolution of the firm or winding up of company where subscriber is a firm or a company.
iv. If Certifying Authority is of the opinion that :
1. a material fact represented in the DSC is false or has been concealed.
2. a requirement for the issuance of the DSC was not satisfied.
3. the CA’s private key or security system was compromised in a manner materially affecting the DSC’s
reliability.
4. the subscriber has been declared insolvent or dead or where a subscriber is a firm or a company, which has
been dissolved, wound up or ceased to exist.
PROCEDURE TO ISSUE ESC UNDER IT ACT, 2000

A DSC shall not be revoked unless the subscriber has been given an opportunity of being heard in the matter [Sec. 38(1)].
Further, on revocation of a DSC under this section, the authority shall communicate the same to the subscriber [Sec. 38(2)].
Notice of suspension or revocation (Sec. 39)
Where a DSC is suspended or revoked u/s 37 or u/s 38, the CA shall publish a notice of such suspension or revocation in
the repository specified in the DSC for publication of such notice [Sec. 39(1)]. Further, where one or more repositories are
specified, the CA shall publish notices of such suspension or revocation in all such repositories.

Not a
DUTIES OF SUBSCRIBERS UNDER IT ACT, 2000 part of
syllabus
Definition.
According to Sec. 2(1)(zg), “Subscriber” means a person in whose name the electronic signature certificate is issued.Sections 41
to 43 of Chapter VIII of Information Technology Act prescribe the following duties of subscribers who have obtained the Digital
Signature Certificate from some certifying authority :
1. Generating Key Pair (Sec. 40). Where any DSC has been accepted by the subscriber, he has a duty to generate the key pair
consisting of public key to which private key of the subscriber corresponds and which is to be listed in the digital signature
certificate by applying the security procedure prescribed under Section 16
 DUTIES OF SUBSCRIBERS UNDER IT ACT, 2000

2. Duty of subscriber of Electronic Signature Certificate (Sec. 40A). In respect of Electronic Signature Certificate the subscriber shall
perform such duties as may be prescribed [Inserted vide ITAA, 2008].
3. Acceptance of Digital Signature Certificate (Sec. 41). Acceptance of digital certificate entitles him to the rights under it as well as imposes
some obligations upon him. Sub-sections 1 and 2 of Section 41 provide the following provisions relating to acceptance of certificate by the
subscriber :
a. A subscriber shall be deemed to have accepted a DSC if he publishes or authorizes the publication of Digital Signature Certificate :
i. to one or more persons ;
ii. in a repository, or otherwise demonstrates his approval of DSC in any manner.
b. Acceptance of DSC amounts to certification by the subscriber to all who rely on the information contained there-in that :
i. the subscriber holds and is entitled to hold the private key corresponding to the public key listed in the DSC.
ii. all representations made by the subscriber to the CA and all information contained in the DSC are true.
iii. all information contained in the DSC that is within the knowledge of the subscriber is true.
4. Control of Private Key (Sec. 42). Sub-sections (1) and (2) of Section 42 lay down the following duties of the subscriber relating to the
control of private key :
a. Duty to exercise reasonable care to retain control of the private key corresponding to the public key listed in the DSC.
i. Duty to take all steps to prevent disclosure of private key.
ii. If the private key has been compromised (lost), duty to communicate the same to the certifying authority without any delay.
In case of compromise of private key till such information is given to the certifying authority, the subscriber shall continue to be liable
[Explanation to Sec. 42(2)].
DIFFERENCE BETWEEN E-SIGNATURE
AND DIGITAL SIGNATURE
E- SIGNATURE DIGIAL SIGNATURE

It has been defined under Section It has been defined under Section
SECTION 2(1)(ta) of the Information 2(1)(p) of the Information Technology
Technology Act, 2000. Act, 2000.

It is technologically neutral, ie. no

It follows a technology-specific
specific technological process is to be
TECHNOLOGY INVOLVED approach such as usage of hash
followed to create an electronic
functions, algorithms, etc.
signature.

It uses public key cryptography system to

sign up for a particular message which
It can be created by using various
requires a pair of keys ie. a private key for
MODE OF CREATION available technologies like attaching
encryption and a public key for
a picture of your signature. decryption, computed by using a hash
function.
DIFFERENCE BETWEEN E-SIGNATURE AND DIGITAL
SIGNATURE E- SIGNATURE DIGIAL SIGNATURE

It can be in the form of a name typed

It involves the usage of
at the end of an email, a digital
Cryptographic system of constructing
WHAT IS IT? version of a handwritten signature in
the signature with a two-way
the form of an attachment, a code or
protection system.
even a fingerprint.

It is less authentic as compared to It has more authenticity as compared

AUTHENTICITY
the digital signature. to the electronic signature

Electronic signatures do not come Digital signatures come with encryption

ENCRYPTION STANDARDS
with encryption standards. standards.
DIFFERENCE BETWEEN E-SIGNATURE AND DIGITAL
SIGNATURE E- SIGNATURE DIGIAL SIGNATURE

An electronic signature is
A digital signature is authenticated
MODE OF AUTHENTICATION authenticated using a phone
using a digital signature certificate.
number, SMS, etc.

An electronic signature verifies the A digital signature secures a

SUMMARY
document. document.
 Back to Agenda

Thank you