MODULE 3: DIGITAL- SIGNATURES AND ELECTRONIC SIGNATURES
3.1 THE INDIAN LAW
In the world, as we know it, documents form an integral part. And, so does the process of
transmitting or transferring documents- among persons, organizations or the public at large.
But, in this process, lies the risk of information tampering, or duplication. To mark a
document as original and non- tampered, a person affixes his seal or signature to the
document he executes. Today, with increasing number of documents being executed in soft
copy and transmitted as such, because of transactional convenience and expeditious
delivery, the above stated method of authenticating documents is not enough. Electronic
signature makes its entry to overcome this insufficiency.
This chapter gives legal recognition to electronic records and digital signatures. It contains
only section 3. The section provides the conditions subject to which an electronic record
may be authenticated by means of affixing digital signature. The digital signature is created
in two distinct steps. First the electronic record is converted into a message digest by using a
mathematical function known as “hash function” which digitally freezes the electronic
record thus ensuring the integrity of the content of the intended communication contained
in the electronic record. Any tampering with the contents of the electronic record will
immediately invalidate the digital signature. Secondly, the identity of the person affixing the
digital signature is authenticated through the use of a private key which attaches itself to
the message digest and which can be verified by anybody who has the public key
corresponding to such private key. This will enable anybody to verify whether the electronic
record is retained intact or has been tampered with since it was so fixed with the digital
signature. It will also enable a person who has a public key to identify the originator of the
message.
3.1.1 ELECTRONIC SIGNATURES IN GLOBAL AND NATIONAL COMMERCE ACT
The term ‘‘electronic signature’’ means an electronic sound, symbol, or process, attached to or
logically associated with a contract or other record and executed or adopted by a person with
the intent to sign the record.1
3.1.2 PERSONAL INFORMATION PROTECTION AND ELECTRONIC DOCUMENTS ACT
(1) An electronic signature is "a signature that consists of one or more letters, characters,
numbers or other symbols in digital form incorporated in, attached to or associated with an
electronic document";2
(2) A secure electronic signature is as an electronic signature that
• is unique to the person making the signature;
1 S 106 (5), 15 USC 7006
2 S 31 (1), S.C. 2000, c. 5
• the technology or process used to make the signature is under the sole control of the
person making the signature;
• the technology or process can be used to identify the person using the technology or
process; and
• the electronic signature can be linked with an electronic document in such a way
that it can be used to determine whether the electronic document has been changed
since the electronic signature was incorporated in, attached to or associated with
the electronic document.3
Section 2(p) of the Information Technology Act, 2008 defines digital signature
as "authentication of any electronic record by a subscriber by means of an electronic
method or procedure in accordance with the provisions of section 3.” Section 3 further
reads as “any subscriber may authenticate an electronic record by affixing his digital
signature. Clause 2 of above mentioned section states that the authentication of the
electronic record shall be effected by the use of asymmetric crypto system and hash
function which envelop and transform the initial electronic record into another electronic
record. "Hash function" means an algorithm mapping or translation of one sequence of bits
into another, generally smaller, set known as "hash result" such that an electronic record
yields the same hash result every time the algorithm is executed with the same electronic
record as its input making it computationally infeasible:
• to derive or reconstruct the original electronic record from the hash result produced
by the algorithm;
• that the two electronic records can produce the same hash result using the
algorithm.
The electronic record can be verified by any person who uses the public key of the
subscriber. The private key and the public key are unique to the subscriber and constitute a
functioning key pair.
Section 2(ta) defines electronic signature as authentication of any electronic record by a
subscriber by means of an electronic technique and it includes digital signature. Section 3A
further states that:
“(1) Notwithstanding anything contained in section 3, but subject to the provisions of
subsection (2) a subscriber may authenticate any electronic record by such electronic
signature or electronic authentication technique which-
(a) is considered reliable ; and
(b) may be specified in the Second Schedule
(2) For the purposes of this section any electronic signature or electronic authentication
technique shall be considered reliable if
3 Ibid, S 48 (1)
(a) the signature creation data or the authentication data are, within the context in
which they are used, linked to the signatory or , as the case may be, the
authenticator and of no other person;
(b) the signature creation data or the authentication data were, at the time of signing,
under the control of the signatory or, as the case may be, the authenticator and of no
other person;
(c) any alteration to the electronic signature made after affixing such signature is
detectable
(d) any alteration to the information made after its authentication by electronic
signature is detectable; and
(e) it fulfills such other conditions which may be prescribed.
(3) The Central Government may prescribe the procedure for the purpose of ascertaining
whether electronic signature is that of the person by whom it is purported to have
been affixed or authenticated
(4) The Central Government may, by notification in the Official Gazette, add to or omit
any electronic signature or electronic authentication technique and the procedure for
affixing such signature from the second schedule;
Provided that no electronic signature or authentication technique shall be specified in
the Second Schedule unless such signature or technique is reliable
(5) Every notification issued under sub-section (4) shall be laid before each House of
Parliament.”
Therefore “Electronic signature” means authentication of any electronic record by a
subscriber by means of the electronic technique specified in the Second Schedule and
includes digital signature.4
Any electronic signature or electronic authentication technique shall be considered reliable
if—
• the signature creation data or the authentication data are, within the context in
which they are used, linked to the signatory or, as the case may be, the
authenticator and to no other person;
• the signature creation data or the authentication data were, at the time of signing,
under the control of the signatory or, as the case may be, the authenticator and of
no other person;
• any alteration to the electronic signature made after affixing such signature is
detectable;
• any alteration to the information made after its authentication by electronic
signature is detectable; and
• it fulfils such other conditions which may be prescribed.5
3.1.3 DIGITAL SIGNATURE
4 S 2 (ta),Information Technology Act, 2000. (as amended by Information Technology Act, 2008).
5 Ibid, S 3A (2).
A digital signature or digital signature scheme is a mathematical scheme for demonstrating
the authenticity of a digital message or document. A valid digital signature gives a recipient
reason to believe that the message was created by a known sender, and that it was not
altered in transit. Digital signatures are commonly used for software distribution, financial
transactions, and in other cases where it is important to detect forgery or tampering.
3.1.3.1 ITS MEANING IN THE INDIAN LEGAL SYSTEM
According to the Information Technology Act, 2000, digital signature means the use of
asymmetric crypto system and hash function which envelop and transform the initial
electronic record into another electronic record.6 Hash function is defined as an algorithm
mapping or translation of one sequence of bits into another, generally smaller, set known as
"hash result" such that an electronic record yields the same hash result every time the
algorithm is executed with the same electronic record as its input making it computationally
infeasible—
1. to derive or reconstruct the original electronic record from the hash result produced
by the algorithm;
2. that two electronic records can produce the same hash result using the algorithm.7
A digital signature shall be deemed to be a secure digital signature if the following
procedure has been applied to it, namely:-
• that the smart card or hardware token, as the case may be, with cryptographic
module in it, is used to create the key pair.
• that the private key used to create the digital signature always remains in the smart
card or hardware token as the case may be.
• that the hash of the content to be signed is taken from the host system to the smart
card or hardware token and the private key is used to create the digital signature
and the signed hash is returned to the host system.
• that the information contained in the smart card or hardware token, as the case may
be, is solely under the control of the person who is purported to have created the
digital signature.
• that the digital signature can be verified by using the public key listed in the Digital
Signature Certificate issued to that person.
• that the standards referred to in rule 6 of the Information Technology (Certifying
Authorities) Rules, 2000 have been complied with, in so far as they relate to the
creation, storage and transmission of the digital signature, and
• that the digital signature is linked to the electronic record in such a manner that if
the electronic record was altered the digital signature would be invalidated.8
3.1.3.2 WORKING OF DIGITAL SIGNATURE
6 Ibid, S 3.
7 Ibid, S3 (Explanation)
8 Information Technology (Use of electronic records and digital signatures) Rules, 2004; R4.
Step 1: Getting a Private and Public Key
In order to electronically sign documents with standard digital signatures, the signer needs
to obtain a Private and Public Key - a one-time setup/operation. The Private Key, as the
name implies, is not shared and is used only by the signer to sign documents. The Public Key
is openly available and used by those who need to verify the signer's digital signature.
Step 2: Signing an Electronic Document
• Initiating the signing process - Depending on the software used, the signer needs to
initiate the signing process (e.g., clicking a "Sign" button on the software's toolbar).
• Creating a digital signature - A unique digital fingerprint of the document
(sometimes called a message digest or document hash) is created using a
mathematical algorithm (such as Secure Hash Algorithm-1). Even the slightest
difference between two documents would create a separate digital fingerprint of
each.
• Appending the signature to the document - The hash result and the user's digital
certificate (which includes his Public Key) are combined into a digital signature (by
using the user's Private Key to encrypt the document hash). The resulting signature is
unique to both the document and the user. Finally, the digital signature is appended
to the document.
Step 3: Verifying the digital signature
• Initiation of the verification process - Depending on the software used, the recipient
needs to initiate the validation process (e.g., clicking a "Validate Signature" menu
option button on the software's toolbar).
• Decryption of signature - Using the signer’s Public Key the recipient decrypts his
signature and receives the original document (the document fingerprint).
• Comparison of the signer’s document fingerprint with the recipient’s calculated
one – The recipient’s software then calculates the document hash of the received
document and compares it with the original document hash (from the previous
step). If they are the same, the signed document has not been altered.
There is yet another factor involved. How can a recipient know whether the signer is indeed
the same person she intends to conduct business with? The signer needs to be certified by a
trusted third party that knows him and can verify that he is indeed who he claims to be.
These trusted third parties are called Certifying Authorities. They issue certificates to ensure
the authenticity of the signer. Certificates can be compared to passports issued by countries
to their citizens.
3.1.3.3 DIFFERENCE BETWEEN ELECTRONIC SIGNATURE AND DIGITAL SIGNATURE
A digital signature is a sub group within electronic signatures which provide the highest form
of signature and content integrity as well as universal acceptance. The digital signature is
based on Public Key Infrastructure (PKI) and is a result of a cryptographic operation that
guarantees signer authenticity, data integrity and non-repudiation of signed documents. The
digital signature cannot be copied, tampered or altered.
On the other hand, an electronic signature is a proprietary format (there is no standard for
electronic signatures) that is an electronic data that identify the author(s) of an electronic
message, such as, a digitized image of a handwritten signature, a symbol, voiceprint, etc. An
electronic signature is vulnerable to copying and tampering, making forgery easy. In many
cases, they are not legally binding and will require proprietary software to validate the e-
signature.
In Indian law too, it has been recognised that digital signature is a subset of electronic
signature.9
3.2 THE OTHER DEFINITIONS
Digital signatures are not a signature at all but a means of authentication using a line of
code called a hash. When a person sends a message to a bank to transfer funds, for
example, the hash must match the one held by the bank.10
Digital Signature is used for demonstrating the authenticity of a digital message or
document. A valid digital signature gives a recipient reason to believe that the message was
created by a known sender, and that it was not altered in transit. Digital signatures are
commonly used for software distribution, financial transactions, and in other cases where it
is important to detect forgery or tampering.
Digital signatures are often used to implement electronic signatures, a broader term that
refers to any electronic data that carries the intent of a signature,11 but not all electronic
signatures use digital signatures. In some countries, including the United States, India, and
members of the European Union, electronic signatures have legal significance. However,
laws concerning electronic signatures do not always make clear whether they are digital
cryptographic signatures in the sense used here, leaving the legal definition, and so their
importance, somewhat confused.
A digital signature scheme typically consists of three algorithms:
• A key generation algorithm that selects a private key uniformly at random from a set
of possible private keys. The algorithm outputs the private key and a corresponding
public key.
• A signing algorithm that, given a message and a private key, produces a signature.
• A signature verifying algorithm that, given a message, public key and a signature,
either accepts or rejects the message's claim to authenticity.
9 Supra Note 4, S2 (ta).
10 http://www.wired.com/politics/law/news/1997/10/8060 as accessed on 10.01.11
11 US ESIGN Act, 2000
Two main properties are required. First, a signature generated from a fixed message and
fixed private key should verify the authenticity of that message by using the corresponding
public key. Secondly, it should be computationally infeasible to generate a valid signature
for a party who does not possess the private key.12
3.3 LAW IN OTHER COUNTRIES
The European Parliament has defined the term electronic signature as data in electronic
form which are attached to or logically associated with other electronic data and which
serve as a method of authentication.13
"Electronic signature" is a generic, technology-neutral term that refers to the universe of all
of the various methods by which one can "sign" an electronic record. Although all electronic
signatures are represented digitally (i.e., as a series of ones and zeroes), they can take many
forms and can be created by many different technologies. Examples of electronic signatures
include: a name typed at the end of an e-mail message by the sender; a digitized image of a
handwritten signature that is attached to an electronic document (sometimes created via a
biometrics-based technology called signature dynamics14 ; a secret code or PIN (such as that
used with ATM cards and credit cards) to identify the sender to the recipient; a code or
"handle" that the sender of a message uses to identify himself; a unique biometrics-based
identifier, such as a fingerprint or a retinal scan; and a digital signature (created through the
use of public key cryptography). "Digital Signature" is simply a term for one technology-
specific type of electronic signature.
In recent US law, influenced by American Bar Association committee white papers and the
National Conference of Commissioners on Uniform State Laws (NCCUSL), electronic
signature means "an electronic sound, symbol, or process, attached to or logically
associated with a record and executed or adopted by a person with the intent to sign the
record."15 This definition comes from the Uniform Electronic Transactions Act or "UETA"16
released by NCCUSL in 1999.17 The U.S. ESIGN Act of 200018 enacted on a federal level many
of the core concepts of UETA. 46 US states, the District of Columbia, and the US Virgin
Islands have enacted UETA.
The Government Paperwork Elimination Act in its section 1710 defines states that the term
"electronic signature" means a method of signing an electronic message that—
12 http://en.wikipedia.org/wiki/Digital_signature as accessed on 10.01.11
13 Directive 1999/93/EC of the European Parliament and of the Council of 13 December 1999 on a
Community framework for electronic signatures;
http://europa.eu/legislation_summaries/information_society/l24118_en.htm as accessed on 10.01.11
14 CALIFORNIA CODE REGULATIONS. Title 2- 22003(b)(1)(D) (1998). Under the California Digital
Signature Regulations, "'Signature Dynamics' means measuring the way a person writes his or her
signature by hand on a flat surface and binding the measurements to a message through the use of
cryptographic techniques.
15 Section 106 of the US ESIGN Act, 2000 defines the term in the same manner.
16 Section 2, Uniform Electronic Transactions Act,
17 http://www.law.upenn.edu/bll/ulc/fnact99/1990s/ueta99.htm as accessed on 11.01.11
18 http://frwebgate.access.gpo.gov/cgi-
bin/getdoc.cgi?dbname=106_cong_public_laws&docid=f:publ229.106.pdf as accessed on 11.01.11
(A) identifies and authenticates a particular person as the source of the electronic
message; and
(B) indicates such person's approval of the information contained in the electronic
message.
Section 11.3 of the Food and Drug Administration Act (Public Law 105-277)19 states that the
term Digital signature means an electronic signature based upon cryptographic methods of
originator authentication, computed by using a set of rules and a set of parameters such
that the identity of the signer and the integrity of the data can be verified. Electronic
signature means a computer data compilation of any symbol or series of symbols executed,
adopted, or authorized by an individual to be the legally binding equivalent of the
individual's handwritten signature.
European Union Directive establishing the framework for electronic signatures is the
Directive 1999/93/EC of the European Parliament and of the Council of 13 December 1999
on a Community framework for electronic signatures. Commission Decision 2003/511/EC
adopting three CEN Workshop Agreements as technical standards is presumed to be in
accordance with the Directive.20 Several countries have already implemented the Directive
1999/93/EC. Few of them are the Austrian Signature Law, 2000; Belgium’s Signature Law,
2001; Czech Republic’s Act on Electronic Signature, 227/2000; Denmark’s lov om
elektroniske signature; England, Scotland, Wales the Electronic Communications Act, 2000
and the Electronic Signatures Regulations, 2002; Estonian Digital Signatures Act, 2003;
German Signature Law of 2001, changed in 2005; Greek Presidential decree 150/2001; Irish
Electronic Commerce Act, 2000; Maltese Electronic Commerce Act 2001, last amended
2005; Norwegian Electronic Signature Act, 2001; Spain’s Ley 59/2003, de 19 de diciembre, de
firma electronic(in Spanish) .
Section 22-24 under the New Zealand’s Electronic Transactions Act, 2002 deal with digital
and electronic signatures.
Bermuda consciously drew from the UNCITRAL Model Law on Electronic Commerce, the EU
Directive and legislation from other jurisdictions, in particular that of Singapore. The
Electronic Transaction Act 1999 provides for two types of signature, depending on the use
to which they are put. Part II, [section] 11 of the Bermudan Act, refers to the form an
electronic signature should take that will meet the criteria where a signature is required by
law when used to identify a person intending to sign or otherwise adopt the content of a
document in electronic format. This provision permits the use of different types of
electronic signature, other than a digital signature, as set out in section 11.21
3.4 CASE LAWS
19 http://frwebgate.access.gpo.gov/cgi-
bin/getdoc.cgi?dbname=105_cong_public_laws&docid=f:publ277.105 as accessed on 11.01.11
20http://www.worldlingo.com/ma/enwiki/en/Digital_signatures_and_law#European_Union_and_the_Eu
ropean_Economic_Area as accessed on 11.01.11
21 http://findarticles.com/p/articles/mi_m5GES/is_2_6/ai_n25016329/pg_6/ as accessed on 11.01.11
When a person types his name on to a file in electronic format, such as a letter, e-mail or
other form of document, the text added is a form of electronic signature. This was the
subject of discussion in England and Wales in the case of Hall v. Cognos Ltd.22 In this case,
the chairman of the Tribunal determined that a name typed into an e-mail was a form of
signature. Although no relevant case law was mentioned in this instance, the decision was
consistent with decisions made by judges in England and Wales since the seventeenth
century, illustrating that the function of a signature overrides the form it takes. Case law
applying electronic signature statutes in the United States of America indicates the
acceptance of this form of electronic signature23, as does a recent case in Singapore.24
The French courts have taken a more restrictive approach, although it should be noted that
the case mentioned below pre-dates the introduction of the French law on electronic
signatures, and the decision may well be different now. In the case of Societe Chalets
Boisson v. M. X25 the council of the Society Chalets Boisson entered an appeal before the
Cour d'Appel of Besancon against a decision of a Conseil de prud'hommes (employment
tribunal). The notice of appeal was sent to the office of the clerk of the court by e-mail,
bearing an electronic signature. The defendant sought to have this appeal declared invalid,
because the electronic signature was deemed not to identify the signatory. The Cour d'appel
of Besancon accepted this argument and then declared this appeal inadmissible. The Cour
de Cassation approved the Cour de Besancon decision. For an order to be valid, an appeal
must be signed by its author and that an electronic signature, before the 13th March 2000
Act,26 was not sufficient to identify the author. The comments by Philippe Bazin bear
repeating:
“.... judges at the time (and unfortunately still today) did not have any technical
understanding about what these notions concretely represent. These that they know, they
have practiced for a long time, and they have to do with paper, not the electronic
environment.”
In the April 30 2003 decision, the Court adopted a systematic position of mistrust with
respect to the electronic signature. It confirms that--culturally--it is the paper, and only the
paper, that constitutes the only solid legal guarantee." In some jurisdictions, it may well be
that this attitude might persist for some time.
22 Hall v. Cognos Limited, Hull Industrial Tribunal Case No 1803325/97.
23 See Shattuck v. Klotzbach, 14 Mass. L. Rptr. 360 (Mass. Super. Ct. 2001); see also Sea-Land
Serv., Inc. v. Lozen Int'l, LLC., 285 F.3d 808 (9th Cir. 2002); see also Cloud Corp. v. Hasbro, Inc,. 314
F.3d 289 (7th Cir. 2002); see also Roger Edwards, LLC. v. Fiddes & Son Ltd, 245 F. Supp. 2d 251 (D.
Me. 2003); see also On Line Power Tech., Inc. v. Squared D Company, 2004 WL 1171405 (S.D.N.Y.);
but see Toghiyany v. Amerigas Propane, Inc., 309 F.3d 1088 (8th Cir. 2002).
24 SM Integrated Transware Pte Ltd. v. Schenker Singapore (Pte) Ltd., [2005] SGHC 58. For a case
report on this case by Bryan Tan, See E-SIGNATURE LAW JOURNAL, vol. 2, no. 2 (2005), at 126 -
27.
25 Cour de Cassation, Cass.2e civ. chambre civile 2, April 30, 2003, Case No 00-46467, available in
electronic format at http://www.juriscom.net/jpt/visu.php?1D=239; see also Philippe Bazin, Case Note
E-Signature Law Journal, vol. 1, no. 2 (2004), at 93 - 94.
26 Law No. 2000-230 of March 13, 2000 portant adaptation du droit de la preuve aux technologies de
l'information et relative a la signature electronique.
The presumptions are that where an electronic signature is considered as a functional
equivalent of a manuscript signature, some countries have included a number of
presumptions in the legislation, such as article 3 of the Japanese Law Concerning Electronic
Signatures and Certification Services (Law No. 102 of 2000):
“Article 3: An electro-magnetic record which is made in order to express information (with
the exception of one drawn by a public official in the exercise of his official functions) shall be
presumed to be authentic if an electronic signature (limited to those that, if based on the
proper control of the codes and objects necessary to perform the signature, only that person
can substantially perform) is performed by the principal in relation to information recorded
in the electro-magnetic record.”
The recently enacted Electronic Signatures Law of People's Republic of China has a similar
presumption, as set out in article 9, which is subject to a number of conditions:27
"Article 9: A data message is deemed to be sent by the originator if any of the following
conditions has been met:
It was sent under the authorization of the originator;
It was sent automatically by the originator's information system;
The addressee verifies and ascertains the data message by a method ratified by the
originator.
If the parties have agreed otherwise, such agreement prevails."
3.5 ELECTRONIC GOVERNANCE
3.5.1 THE INDIAN LAW
This chapter is one of the most important chapters. It specifies the procedures to be
followed for sending and receiving of electronic records and the time and the place of the
dispatch and receipt. This chapter contains sections 4 to 10.
Section 4 provides for “legal recognition of electronic records”. It provides that where any
law requires that any information or matter should be in the typewritten or printed form
then such requirement shall be deemed to be satisfied if it is in an electronic form. This
section is as follows:
“[Section 4] Legal Recognition of Electronic Records:
Where any law provides that information or any other matter shall be in writing or in the
typewritten or printed form, then, notwithstanding anything contained in such law, such
requirement shall be deemed to have been satisfied if such information or matter is (a)
rendered or made available in an electronic form; and (b) accessible so as to be usable for a
subsequent reference.”
27 Passed by No. 11 meeting of No. 10 Standard Committee of the National People's Congress on 28
August 2004. For a translation into English by Minyan Wang and Minju Wang, See E-SIGNATURE
LAW JOURNAL, vol. 2, no. 1 (2004), at 35 - 41.
Section 5 provides for legal recognition of Digital Signatures. Where any law requires that
any information or matter should be authenticated by affixing the signature of any person,
then such requirement shall be satisfied if it is authenticated by means of Digital Signatures
affixed in such manner as may be prescribed by the Central Government.
For the purposes of this section, “signed”, with its grammatical variations and cognate
expressions, shall, with reference to a person, mean affixing of his hand written signature or
any mark on any document and the expression “signature” shall be construed accordingly.
This section is as follows:
“[Section 5] Legal recognition of Electronic Signature: Where any law provides that
information or any other matter shall be authenticated by affixing the signature or any
document should be signed or bear the signature of any person then, notwithstanding
anything contained in such law, such requirement shall be deemed to have been satisfied, if
such information or matter is authenticated by means of digital signature affixed in such
manner as may be prescribed by the Central Government.
Explanation -
For the purposes of this section, "Signed", with its grammatical variations and cognate
expressions, shall, with reference to a person, mean affixing of his hand written signature or
any mark on any document and the expression "Signature" shall be construed accordingly.”
Section 6 lays down the foundation of Electronic Governance. It provides that the filing of
any form, application or other documents, creation, retention or preservation of records,
issue or grant of any licence or permit or receipt or payment in Government offices and its
agencies may be done through the means of electronic form. The appropriate Government
office has the power to prescribe the manner and format of the electronic records and the
method of payment of fee in that connection. This section is given as under as per ITAA
2008:
[Section 6] Use of Electronic Records and Electronic Signature in Government and its
agencies:
“(1) Where any law provides for
(a) the filing of any form, application or any other document with any office, authority, body
or agency owned or controlled by the appropriate Government in a particular manner;
(b) the issue or grant of any license, permit, sanction or approval by whatever name called in
a particular manner;
(c) the receipt or payment of money in a particular manner, then, notwithstanding anything
contained in any other law for the time being in force, such requirement shall be deemed to
have been satisfied if such filing, issue, grant, receipt or payment, as the case may be, is
effected by means of such electronic form as may be prescribed by the appropriate
Government.
(2) The appropriate Government may, for the purposes of sub-section (1), by rules, prescribe
(a) the manner and format in which such electronic records shall be filed, created or issued;
(b) the manner or method of payment of any fee or charges for filing, creation or issue any
electronic record under clause (a).”
Section 6A Delivery of Services by Service Provider (Inserted vide ITAA-2008):
“(1) The appropriate Government may, for the purposes of this Chapter and for efficient
delivery of services to the public through electronic means authorize, by order, any service
provider to set up, maintain and upgrade the computerized facilities and perform such other
services as it may specify, by notification in the Official Gazette.
Explanation: For the purposes of this section, service provider so authorized includes any
individual, private agency, private company, partnership firm, sole proprietor form or any
such other body or agency which has been granted permission by the appropriate
Government to offer services through electronic means in accordance with the policy
governing such service sector.
(2) The appropriate Government may also authorize any service provider authorized under
sub-section (1) to collect, retain and appropriate service charges, as may be prescribed by
the appropriate Government for the purpose of providing such services, from the person
availing such service.
(3) Subject to the provisions of sub-section (2), the appropriate Government may authorize
the service providers to collect, retain and appropriate service charges under this section
notwithstanding the fact that there is no express provision under the Act, rule, regulation or
notification under which the service is provided to collect, retain and appropriate eservice
charges by the service providers.
(4) The appropriate Government shall, by notification in the Official Gazette, specify the scale
of service charges which may be charged and collected by the service providers under this
section:
Provided that the appropriate Government may specify different scale of service charges for
different types of services.”
Section 7 provides that the documents, records or information which is to be retained for
any specified period shall be deemed to have been retained if the same is retained in the
electronic form provided the following conditions are satisfied:
(i) The information therein remains accessible so as to be usable subsequently.
(ii) The electronic record is retained in its original format or in a format which accurately
represents the information contained.
(iii) The details which will facilitate the identification of the origin, destination, dates and
time of despatch or receipt of such electronic record are available therein.
This section does not apply to any information which is automatically generated solely for
the purpose of enabling an electronic record to be dispatched or received. Moreover, this
section does not apply to any law that expressly provides for the retention of documents,
records or information in the form of electronic records. ITAA 2008, this section is given as
follows:
“[Section 7] Retention of Electronic Records:
(1) Where any law provides that documents, records or information shall be retained for any
specific period, then, that requirement shall be deemed to have been satisfied if such
documents, records or information are retained in the electronic form, -
(a) the information contained therein remains accessible so as to be usable for a subsequent
reference;
(b) the electronic record is retained in the format in which it was originally generated, sent or
received or in a format which can be demonstrated to represent accurately the information
originally generated, sent or received;
(c) the details which will facilitate the identification of the origin, destination, date and time
of dispatch or receipt of such electronic record are available in the electronic record:
However, this clause does not apply to any information which is automatically generated
solely for the purpose of enabling an electronic record to be dispatched or received.
(2) Nothing in this section shall apply to any law that expressly provides for the retention of
documents, records or information in the form of electronic records. Publication of rules,
regulation, etc. in Electronic Gazette.”
Section 7A Audit of Documents etc in Electronic form:
“Where in any law for the time being in force, there is a provision for audit of documents,
records or information, that provision shall also be applicable for audit of documents,
records or information processed and maintained in electronic form (ITAA 2008, Standing
Committee Recommendation)“
Section 8 provides for the publication of rules, regulations and notifications in the Electronic
Gazette. It provides that where any law requires the publication of any rule, regulation,
order, bye-law, notification or any other matter in the Official Gazette, then such
requirement shall be deemed to be satisfied if the same is published in an electronic form. It
also provides where the Official Gazette is published both in the printed as well as in the
electronic form, the date of publication shall be the date of publication of the Official
Gazette which was first published in any form.
Section 8 Publication of rules, regulation, etc, in Electronic Gazette:
“Where any law provides that any rule, regulation, order, bye-law, notification or any other
matter shall be published in the Official Gazette, then, such requirement shall be deemed to
have been satisfied if such rule, regulation, order, bye-law, notification or any other matter is
published in the Official Gazette or Electronic Gazette: However, where any rule, regulation,
order, bye-law, notification or any other matters published in the Official Gazette or
Electronic Gazette, the date of publication shall be deemed to be the date of the Gazette
which was first published in any form.”
However, section 9 of the Act provides that the conditions stipulated in sections 6, 7 and 8
shall not confer any right to insist that the document should be accepted in an electronic
form by any Ministry or department of the Central Government or the State Government.
Section 9: Sections 6, 7 and 8 Not to Confer Right to insist document should be accepted in
electronic form:
“Nothing contained in sections 6, 7 and 8 shall confer a right upon any person to insist that
any Ministry or Department of the Central Government or the State Government or any
authority or body established by or under any law or controlled or funded by the Central or
State Government should accept, issue, create, retain and preserve any document in the
form of electronic records or effect any monetary transaction in the electronic form.”
Section 10: Power to make rules by Central Government in respect of Electronic Signature
(Modified Vide ITAA 2008)
“The Central Government may, for the purposes of this Act, by rules, prescribe
(a) the type of Electronic Signature;
(b) the manner and format in which the Electronic Signature shall be affixed;
(c) the manner or procedure which facilitates identification of the person affixing the
Electronic Signature;
(d) control processes and procedures to ensure adequate integrity, security and
confidentiality of electronic records or payments; and
(e) any other matter which is necessary to give legal effect to Electronic Signature.”
Section 10A: Validity of contracts formed through electronic means (Inserted by ITAA 2008).
“Where in a contract formation, the communication of proposals, the acceptance of
proposals, the revocation of proposals and acceptances, as the case may be, are expressed in
electronic form or by means of an electronic record, such contract shall not be deemed to be
unenforceable solely on the ground that such electronic form or means was used for that
purpose.”
It is suggested that while India does have an inspiring vision of where e-governance is going,
there is a gap between service delivery and reality in that country. The challenge of e-
governance in India lies in providing the service to about a billion people. At the moment,
India is ranked 87th in the global e-government readiness ranking of 2005 (CIOL, 2006),
which indicates significant room for improvement. Research has indicated that the three
Indian states leading in e-governance provision are Andhra Pradesh, Karnataka and Tamil
Nadu, while the states of Kerala, Gujarat, Maharashtra, Madhya Pradesh, West Bengal and
Rajasthan are not far behind (NASSCOM, 2003).
Five successful e-governance projects in India are Gyandoot (state of Madhya Pradesh),
Akshaya (state of Kerala), Bhoomi (state of Karnataka), eSeva (state of Andhra Pradesh) and
HP-Kuppam (state of Andhra Pradesh).28
3.5.2 THE OTHER DEFINITIONS
e-Government (short for electronic government, also known as e-gov, digital government,
online government, or connected government) is digital interaction between a government
and citizens (G2C), government and businesses (G2B), and between government agencies
(G2G). This digital interaction consists of governance, information and communication
technology (ICT), business process re-engineering (BPR), and e-citizen at all levels of
government (city, state/province, national, and international).
28 http://www.icmrindia.org/casestudies/catalogue/Innovation/BREP008.htm as accessed on 11.01.11
Essentially, the term e-Government or also known as Digital Government, refers to 'How
government utilized IT, ICT and other telecommunication technologies, to enhance the
efficiency and effectiveness in the public sector.29
Electronic Governance is the application of Information Technology to the processes of
Government functioning to bring about
• Simple
• Moral
• Accountable
• Responsive and
• Transparent Governance.30
The uses and benefits for electronic governance in India include that GS1 numbers can be
used for unambiguous and unique identification of companies in Government - company
interface for electronic governance. Government monitoring and enforcement agencies like
State excise, Health, Commercial taxes, etc. can uniquely identify companies for streamlined
interaction. This also helps speed up Government processes and procedures resulting in
streamlined Government - Industry interface across all Government departments.31
3.5.3 LAW IN OTHER COUNTRIES
The GIAS project in Cambodia introduced the Electronic Approval System that provided the
Government personnel the tool to work smarter, not harder, and to better serve the public.
The EAS allowed documents to be sent, approved, stored and retrieved electronically. Again,
the EAS focused on good governance.32
The U.S. States E-Governance Survey assessed the practice of digital governance in states
across the United States by evaluating their websites and ranking them on a national scale.
Simply stated, digital governance includes both digital government (delivery of public
service) and digital democracy (citizen participation in governance). Specifically, the authors
analyzed security, usability, and content of websites; the type of online services currently
being offered; and citizen response and participation through websites established by state
governments.33
Many countries are currently developing digital identification schemes and are designing
new databases to collate multiple sources of government information about citizens. The
Council of Europe adopted a recommendation on e-governance on 15 December 2004. The
Council recommends that member states "Work together with the appropriate
international, national, regional and local stakeholders, to develop a shared vision of e-
29 http://en.wikipedia.org/wiki/E-Government as accessed on 11.01.11
30 http://unpan1.un.org/intradoc/groups/public/documents/APCITY/UNPAN010009.pdf as accessed on
12.01.11
31 http://www.gs1india.org/APLA/govern.htm as accessed on 12.01.11
32 http://www.apdip.net/projects/e-government/capblg/casestudies/Cambodia.pdf as accessed on
11.01.11
33 U.S. States E-Governance Survey (2008) - An Assessment of State Websites
http://www.epractice.eu/en/library/292956 as accessed on 12.01.11
governance that upholds human rights, democracy and the rule of law." Member states
should use e-governance to strengthen democratic institutions at all levels and make them
more accessible, transparent, accountable and responsive. E-governance is not one-sided,
but should provide opportunities for all to participate in the process of decision-making.
Finally member states should use information and communication technologies to "improve
public administration and services by making them more accessible, user-centred,
transparent, efficient and cost-effective, thus contributing to the economic and cultural
vitality of society."34
3.6 ATTRIBUTION, ACKNOWLEDGEMENT AND DESPATCH OF ELECTRONIC RECORDS
3.6.1 THE INDIAN LAW
Chapter IV of the Act deals with attribution, receipt and dispatch of electronic records.
‘Attribution’ means ‘to consider it to be written or made by someone’. Hence, this section
lays down how an electronic record is to be attributed to the person who originated it. This
is given in section 11. As per ITAA 2008, Section 11 is as follows:
Section 11 Attribution of Electronic Records:
“An electronic record shall be attributed to the originator
(a) if it was sent by the originator himself;
(b) by a person who had the authority to act on behalf of the originator in respect of that
electronic record; or
(c) by an information system programmed by or on behalf of the originator to operate
automatically.”
Section 12 provides for the manner in which acknowledgement of receipt of an electronic
record by various modes shall be made. As per ITAA 2008, Section 12 is given as under:
Section 12 Acknowledgement of Receipt (Modified by ITAA 2008):
“(1) Where the originator has not stipulated that the acknowledgment of receipt of
electronic record be given in a particular form or by a particular method, an
acknowledgment may be given by -
(a) any communication by the addressee, automated or otherwise; or
(b) any conduct of the addressee, sufficient to indicate to the originator that the electronic
record has been received.
(2) Where the originator has stipulated that the electronic record shall be binding only on
receipt of an acknowledgment of such electronic record by him, then unless
acknowledgment has been so received, the electronic record shall be deemed to have been
never sent by the originator.
34 Council of Europe Outlines e-governance strategy, 30th December, 2004; Recommendation of the
Committee of Ministers to member states on electronic governance (15.12.2004)
http://www.edri.org/edrigram/number2.25/egovernance as accessed on 12.01.11
(3) Where the originator has not stipulated that the electronic record shall be binding only
on receipt of such acknowledgment, and the acknowledgment has not been received by the
originator within the time specified or agreed or, if no time has been specified or agreed to
within a reasonable time, then the originator may give notice to the addressee stating that
no acknowledgment has been received by him and specifying a reasonable time by which the
acknowledgment must be received by him and if no acknowledgment is received within the
aforesaid time limit he may after giving notice to the addressee, treat the electronic record
as though it has never been sent.”
Section 13 provides for the manner in which the time and place of despatch and receipt of
electronic record sent by the originator shall be identified. It is provided that in general, an
electronic record is deemed to be despatched at the place where the originator has his
place of business and received where the addressee has his place of business. As per ITAA
2008, Section 13 is as follows:
Section 13: Time and place of despatch and receipt of electronic record:
“(1) Save as otherwise agreed to between the originator and the addressee, the dispatch of
an electronic record occurs when it enters a computer resource outside the control of the
originator.
(2) Save as otherwise agreed between the originator and the addressee, the time of receipt
of an electronic record shall be determined as follows, namely -
(a) if the addressee has designated a computer resource for the purpose of receiving
electronic records
(i) receipt occurs at the time when the electronic record enters the designated computer
resource; or
(ii) if the electronic record is sent to a computer resource of the addressee that is not the
designated computer resource, receipt occurs at the time when the electronic record is
retrieved by the addressee;
(b) if the addressee has not designated a computer resource along with specified timings, if
any, receipt occurs when the electronic record enters the computer resource of the
addressee.
(3) Save as otherwise agreed between the originator and the addressee, an electronic record
is deemed to "be dispatched at the place where the originator has his place of business, and
is deemed to be received at the place where the addressee has his place of business.
(4) The provisions of sub-section (2) shall apply notwithstanding that the place where the
computer resource is located may be different from the place where the electronic record is
deemed to have been received under sub-section (3).
(5) For the purposes of this section -
(a) if the originator or the addressee has more than one place of business, the principal place
of business shall be the place of business;
(b) if the originator or the addressee does not have a place of business, his usual place of
residence shall be deemed to be the place of business;
(c) "Usual Place of Residence", in relation to a body corporate, means the place where it is
registered.”
3.6.2 OTHER DEFINITIONS
If any electronic record was sent by the originator himself or by a person who had the
authority to act on behalf of the originator or by an information system programmed by or
on behalf of the organizer to operate automatically, then the electronic record shall be
attributed to the originator.35
3.6.3 LAW IN OTHER COUNTRIES
Section 9(a) of the Uniform Electronic Transactions Act (U.S) states that an electronic record
or electronic signature is attributable to a person if it was the act of the person. The act of
the person may be shown in any manner, including a showing of the efficacy of any security
procedure applied to determine the person to which the electronic record or electronic
signature was attributable.36
A presumption of attribution of electronic signatures to a particular signatory could be
established through publication of the statement in an official gazette or in a document
recognized as “authentic” by public authorities.37
An electronic record or electronic signature is attributable to a person if it was the act of the
person. The act of the person may be shown in any manner, including a showing of the
efficacy of any security procedure applied to determine the person to whom the electronic
record or electronic signature was attributable.38
The Electronic Transactions Act, 2001(Act 8 of 2001) Part IV further in its sections 10, 11 and
12 states the law in exactly same way as section 11, 12 and 13 of this Act. Section 11 of the
Electronic Transactions Act states that :
(I) Where the originator has not agreed with the addressee that the acknowledgment be in a
particular form or by a particular method, an acknowledgment may be given by
(a) Any communication by the addressee, automated or otherwise; or
(b) any conduct of the addressee, sufficient to indicate to the originator that the electronic
record has been received.
(2) Where the originator has stipulated that the electronic record shall be binding only on
receipt of an acknowledgment of such electronic record by him, then unless
acknowledgment has been so received, the electronic record shall be deemed not to have
been sent by the originator.
(3) Where the originator has not stipulated that the electronic record shall be binding only
on receipt of such acknowledgment, and the acknowledgment has not been received by the
originator within the time specified or agreed or, if no time has been specified or agreed,
within a reasonable time, then the originator may give notice to the addressee stating that
no acknowledgment has been received by him and specifying a reasonable time by which the
acknowledgment must be received by him and if no acknowledgment is received within the
35 http://itactindia.com/Attribution%20of%20electronic%20records.html as accessed on 13.01.11
36 http://en.wikipedia.org/wiki/Uniform_Electronic_Transactions_Act as accessed on 12.01.11
37 http://www.uncitral.org/pdf/english/texts/electcom/08-55698_Ebook.pdf as accessed on 12.01.11
38 http://touchngo.com/lglcntr/akstats/Statutes/Title09/Chapter80/Section060.htm as accessed on
13.01.11
aforesaid time limit he may after giving notice to the addressee, treat the electronic record
as though it has never been sent.39
3.7 SECURE ELECTRONIC RECORDS AND SECURE ELECTRONIC SIGNATURES
3.7.1 THE INDIAN LAW
Chapter V sets out the conditions that would apply to qualify electronic records and digital
signatures as being secure. It contains sections 14 to 16.
Section 14 provides where any security procedure has been applied to an electronic record
at a specific point of time, then such record shall be deemed to be a secure electronic
record from such point of time to the time of verification. In ITAA 2008, Section 14 is given
as follows:
Section 14 Secure Electronic Record:
“Where any security procedure has been applied to an electronic record at a specific point of
time, then such record shall be deemed to be a secure electronic record from such point of
time to the time of verification.”
Section 15 provides for the security procedure to be applied to Digital Signatures for being
treated as a secure digital signature. In ITAA 2008, Section 15 is given as under:
[Section 15] Secure Electronic Signature (Substituted vide ITAA 2008):
“An electronic signature shall be deemed to be a secure electronic signature if-
• the signature creation data, at the time of affixing signature, was under the exclusive
control of signatory and no other person; and
• the signature creation data was stored and affixed in such exclusive manner as may
be prescribed
Explanation- In case of digital signature, the "signature creation data" means the private key
of the subscriber.”
Section 16 provides for the power of the Central Government to prescribe the security
procedure in respect of secure electronic records and secure digital signatures. In doing so,
the Central Government shall take into account various factors like nature of the
transaction, level of sophistication of the technological capacity of the parties, availability
and cost of alternative procedures, volume of similar transactions entered into by other
parties etc. As per
ITAA 2008, Section 16 is given as follows:
Section 16 Security procedures and Practices (Amended vide ITAA 2008):
“The Central Government may for the purposes of sections 14 and 15 prescribe the security
procedures and practices.
39 http://alteroffshore.com/Electronic.Transactions/Electronic.Records/ as accessed on 14.01.11
Provided that in prescribing such security procedures and practices, the Central Government
shall have regard to the commercial circumstances, nature of transactions and such other
related factors as it may consider appropriate.”
3.7.2 OTHER DEFINITIONS
A secure electronic signature is as an electronic signature that:
(a) is unique to the person making the signature;
(b) the technology or process used to make the signature is under the sole control of the
person making the signature;
(c) the technology or process can be used to identify the person using the technology or
process; and
(d) the electronic signature can be linked with an electronic document in such a way
that it can be used to determine whether the electronic document has been changed
since the electronic signature was incorporated in, attached to or associated with
the electronic document.40
3.7.3 LAW IN OTHER COUNTRIES
Section 17 of the Electronic Transactions Act, 2010 states that
17. —(1) If a specified security procedure, or a commercially reasonable security procedure
agreed to by the parties involved, has been properly applied to an electronic record to verify
that the electronic record has not been altered since a specific point in time, such record
shall be treated as a secure electronic record from such specific point in time to the time of
verification.
(2) For the purposes of this section and section 18, whether a security procedure is
commercially reasonable shall be determined having regard to the purposes of the
procedure and the commercial circumstances at the time the procedure was used, including
—
(a) the nature of the transaction;
(b) the sophistication of the parties;
(c) the volume of similar transactions engaged in by either or all parties;
(d) the availability of alternatives offered to but rejected by any party;
(e) the cost of alternative procedures; and
(f) the procedures in general use for similar types of transactions.
It defines secure Electronic signature as
18. —(1) If, through the application of a specified security procedure, or a commercially
reasonable security procedure agreed to by the parties involved, it can be verified that an
electronic signature was, at the time it was made —
(a) unique to the person using it;
(b) capable of identifying such person;
(c) created in a manner or using a means under the sole control of the person using it; and
40 http://en.wikipedia.org/wiki/Electronic_signature as accessed on 15.01.11 ; Personal Information
Protection and Electronic Documents Act (abbreviated PIPEDA or PIPED Act), 2000 , Canada.
(d) linked to the electronic record to which it relates in a manner such that if the record was
changed the electronic signature would be invalidated,
such signature shall be treated as a secure electronic signature.
(2) Whether a security procedure is commercially reasonable shall be determined in
accordance with section 17(2).41
As per the Secure Electronic Signature Regulations, 2005, Canada "secure electronic
signature" in respect of data contained in an electronic document is a digital signature that
results from completion of the following consecutive operations:
(a) application of the hash function to the data to generate a message digest;
(b) application of a private key to encrypt the message digest;
(c) incorporation in, attachment to, or association with the electronic document of the
encrypted message digest;
(d) transmission of the electronic document and encrypted message digest together with
either
(i) a digital signature certificate, or
(ii) a means of access to a digital signature certificate; and
(e) after receipt of the electronic document, the encrypted message digest and the digital
signature certificate or the means of access to the digital signature certificate,
(i) application of the public key contained in the digital signature certificate to decrypt the
encrypted message digest and produce the message digest referred to in paragraph (a),
(ii) application of the hash function to the data contained in the electronic document to
generate a new message digest,
(iii) verification that, on comparison, the message digests referred to in paragraph (a) and
subparagraph (ii) are identical, and
(iv) verification that the digital signature certificate is valid in accordance with section 3.42
3.8 ELECTRONIC SIGNATURE CERTIFICATES
Chapter VII of the IT Act, 2000 deals with the Electronic Signature Certificates. An Electronic
Signature Certificate (ESC) is an important instrument of trust. Before the Amendment of
2008, the term Digital Signature Certificate was used in place of the present term.
The Chapter-VII deals with the issues pertaining to the ESC. The ambit and scope of the
present chapter takes into consideration following issues:
1. Issuance of the ESC;
2. Suspension of ESC; and
3. Revocation of ESC.
3.8.1 DEFINITION OF THE ESC
41 http://statutes.agc.gov.sg/non_version/cgi-bin/cgi_legdisp.pl?actno=2010-ACT-16-
N&doctitle=ELECTRONIC%20TRANSACTIONS%20ACT%202010%0A&date=latest&method=part&sl
=1 as accessed on 17.01.11
42 http://www.orisys.com/infocenter/article_26.shtml as accessed on 19.01.11
Under Section 2(1)(tb) of Information Technology Act, 2000, the term “Electronic Signature
Certificate" means “an Electronic Signature Certificate issued under section 35 and includes
Digital Signature Certificate". In Electronic Transactions Act, 2001 of Thailand, it has been
defined as “a data message or other record confirming the link between a signatory and
signature creation data” [under Section 4]. Article 2(9) of Directive 1999/93/EC of the
European Parliament and of the Council defines it as “an electronic attestation which links
signature-verification data to a person and confirms the identity of that person”.
A simple definition of the term has been provided under Electronic Transactions Law, 2004
of the Union of Myanmar. In this Act, the term has been defined as “the certificate issued to
a subscriber by the certification authority as an electronic data message or other record
identifying the relation between the signer of an electronic signature and the electronic
data message” [under Section 2(h)].
Analyzing the statutory definition provided under the IT Act, an Electronic Signature
Certificate refers to the electronic signature certificate issued under section 35 of the Act. It
also includes Digital Signature Certificate, as issued by the Certifying Authority as per the
procedure prescribed by the Central Government. The definition was inserted in the Act as
an effect of the amendment of the year 2008. In the IT Act, 2000, both the terms, ‘digital
signature certificates’ and ‘electronic signature certificates’ have been defined. In some of
the legislations the definition of the term ‘certificate’ connotes the same meaning.
3.8.2 ISSUANCE OF ELECTRONIC SIGNATURE CERTIFICATES (ESC)
Section 35 covers issuance of the ESC by the Certifying Authority. The relevant provision of
the IT Act says that:
(1) Any person may make an application to the Certifying Authority for the issue of Electronic
Signature Certificate in such form as may be prescribed by the Central Government.
(2) Every such application shall be accompanied by such fee not exceeding twenty-five
thousand rupees as may be prescribed by the Central Government, to be paid to the
Certifying Authority:
Provided that while prescribing fees under sub-section (2) different fees may be prescribed
for different classes of applicants.
(3) Every such application shall be accompanied by a certification practice statement or
where there is no such statement, a statement containing such particulars, as may be
specified by regulations.
(4) On receipt of an application under sub-section (1), the Certifying Authority may, after
consideration of the certification practice statement or the other statement under sub-
section (3) and after making such enquiries as it may deem fit, grant the Electronic Signature
Certificate or for reasons to be recorded in writing, reject the application:
Provided that no application shall be rejected unless the applicant has been given a
reasonable opportunity of showing cause against the proposed rejection.
Subsection (1) of this section says that any person can make an application to the Certifying
Authority for the issue of Electronic Signature Certificate. The form that has been prescribed
by the Central Government is provided under Schedule IV of the Information Technology
(Certifying Authorities) Rules, 2000.
Subsection (2) lays down the provision as to payment of the fees to the Certifying Authority,
prescribed by the Central Government, which should not exceed twenty five thousand
rupees. Further, under Rule 30 of Information Technology (Certifying Authorities) Rules,
2000 says that the Certifying Authority shall charge such fee for the issue of Digital Signature
Certificate as may be prescribed by the Central Government under this subsection. The
Central Government, as per the proviso of the subsection says that the Central Government
can prescribe different fees for different classes of applicants.
The application shall be submitted along with a certification practice statement or where
there is no such statement, a statement containing such particulars, as may be specified by
regulations. After receiving the application and after considering the certification practice
statement or the other statement under sub-section and making such enquiries as it may
deem fit, the Certifying Authority may, grant or reject the Electronic Signature Certificate. In
case he rejects such application, he has to record the reasons in writing for such rejection.
Further, such application can only be rejected after the applicant has been given a
reasonable opportunity to show cause against the proposed rejection.
Before the Amendment of 2008, the proviso to subsection (4) mentioned the conditions,
after the satisfaction of which, the ESC could be granted.
Under section 36 of the Act, the duty has been cast upon the Certifying Authority to make
representations upon issuance of Electronic Signature Certificate. The relevant provision of
the Act says:
A Certifying Authority while issuing a Digital Signature Certificate shall certify that –
(a) it has complied with the provisions of this Act and the rules and regulations made
thereunder;
(b) it has published the Digital Signature Certificate or otherwise made it available to such
person relying on it and the subscriber has accepted it:
(c) the subscriber holds the private key corresponding to the public key, listed in the Digital
Signature Certificate;
(ca) the subscriber holds a private key which is capable of creating a digital signature;
(cb) the public key to be listed in the certificate can be used to verify a digital signature
affixed by the private key held by the subscriber;
(d) the subscriber's public key and private key constitute a functioning key pair;
(e) the information contained in the Digital Signature Certificate is accurate; and
(f) it has no knowledge of any material fact, which if it had been included in the Digital
Signature Certificate would adversely affect the reliability of the representations in clauses
(a) to (d).
The Clause (ca) was added after the amendment of the year 2008.
3.8.3 SUSPENSION OF DIGITAL SIGNATURE CERTIFICATE
Under section 37 of Act, the Certifying Authority has power to suspend a Digital Signature
Certificate. It says that:
1. Subject to the provisions of sub-section (2), the Certifying Authority which has issued
a Digital Signature Certificate may suspend such Digital Signature Certificate-
(a) on receipt of a request to that effect from-
(i) the subscriber listed in the Digital Signature Certificate; or
(ii) any person duly authorised to act on behalf of that subscriber;
(b) if it is of opinion that the Digital Signature Certificate should be suspended in
public interest.
2. A Digital Signature Certificate shall not be suspended for a period exceeding fifteen
days unless the subscriber has been given an opportunity of being heard in the
matter.
3. On suspension of a Digital Signature Certificate under this section, the Certifying
Authority shall communicate the same to the subscriber.
The provision says that a Certifying Authority which has issued a Digital Signature Certificate
may suspend such Digital Signature Certificate on receipt of a request to same from either
the subscriber listed in the Digital Signature Certificate; or any person duly authorised to act
on behalf of that subscriber. After receiving such request, if the Certifying authority frames
opinion that the Digital Signature Certificate should be suspended in public interest. The
provision under this subsection is subject to subsection (2), which says that a Digital
Signature Certificate shall not be suspended for a period exceeding fifteen days unless the
subscriber has been given an opportunity of being heard in the matter.
Under subsection (3), the duty has been casted upon the Certifying Authority to
communicate the suspension to the subscriber after suspension of a Digital Signature
Certificate.
Under section 39 of the Act, the Certifying Authorities have to give the notice for such
suspension. The relevant provision says:
(1) Where a Digital Signature Certificate is suspended or revoked under section 37 or
section 38, the Certifying Authority shall publish a notice of such suspension or
revocation, as the case may be, in the repository specified in the Digital Signature
Certificate for publication of such notice.
(2) Where one or more repositories are specified, the Certifying Authority shall publish
notices of such suspension or revocation, as the case may be, in all such repositories.
The publication of such notice of suspension shall be made in the repository specified in the
Digital Signature Certificate. Further subsection (2) of this section says that where one or
more repositories are specified, the Certifying Authority shall publish notices of such
suspension or revocation, as the case may be, in all such repositories. Same applies to the
revocation of certificates also.
3.8.4 REVOCATION OF DIGITAL SIGNATURE CERTIFICATE
Section 38 of the Act lays down the provision regarding revocation of the Digital Signature
Certificates. It says:
1. A Certifying Authority may revoke a Digital Signature Certificate issued by it—
(a) where the subscriber or any other person authorised by him makes a request
to that effect; or
(b) upon the death of the subscriber; or
(c) upon the dissolution of the firm or winding up of the company where the
subscriber is a firm or a company.
2. Subject to the provisions of sub-section (3) and without prejudice to the provisions of
sub-section (1), a Certifying Authority may revoke a Digital Signature Certificate
which has been issued by it at any time, if it is of opinion that-
(a) a material fact represented in the Digital Signature Certificate is false or has
been concealed:
(b) a requirement for issuance of the Digital Signature Certificate was not
satisfied;
(c) the Certifying Authority's private key or security system was compromised in a
manner materially affecting the Digital Signature Certificate's reliability;
(d) the subscriber has been declared insolvent or dead or where a subscriber is a
firm or a company, which has been dissolved, wound-up or otherwise ceased
to exist.
3. A Digital Signature Certificate shall not be revoked unless the subscriber has been
given an opportunity of being heard in the matter.
4. On revocation of a Digital Signature Certificate under this section, the Certifying
Authority shall communicate the same to the subscriber.
The Certifying Authority can revoke a digital signature certificate, issued by it in cases where
1. the subscriber or any other person authorised by him makes a request to that effect;
or
2. death of the subscribe has occurred; or
3. in case, the subscriber is a firm or a company, such the firm has dissolved or such
company has wound up.
Subsection (2) provides further grounds for revocation of certificates, which are:
(a) Concealing a material fact or representing a false material fact in the Digital
Signature Certificate;
(b) Failure to satisfy a requirement for issuance of the Digital Signature Certificate;
(c) The Certifying Authority's private key or security system was compromised in a
manner materially affecting the Digital Signature Certificate's reliability;
(d) The subscriber has been declared insolvent or dead (in case, where a subscriber is a
firm or a company, it has been dissolved, wound-up or otherwise ceased to exist).
Further, subsection (3) says that a Digital Signature Certificate can be revoked only after
giving the subscriber an opportunity of being heard in the matter of proposed revocation.
Further subsection (4) casts a duty upon the Certifying Authority to communicate the
revocation of a Digital Signature Certificate to the subscriber.
The publication of such revocation has been provided for under section 39 of the Act. The
provision of publication of suspension of a Digital Signature Certificate and the revocation of
a Digital Signature Certificate are same.
The words you are searching are inside this book. To get more targeted content, please make full-text search by clicking here.
Cyber Module_3
Discover the best professional documents and content resources in AnyFlip Document Base.
Search
Cyber Module_3
- 1 - 26
Pages: