All About Digital Signature Certificates in India

Privacy and confidentiality is a key cause of concern when using smart contracts.

Article by Shashwat Mishra, Edited by Chinmay Jain

Signatures are part of our everyday life. We sign a document to register and show our consent to a particular document which may be about a particular issue. Mostly the signatures that we do in a document are related to our professional requirements and the documents in which we sign is a physical document which is in a form of a paper.

But guess how signatures work in the digital world where the document becomes an electronic record and our signature becomes digital?

The following article will be dealing with all the relevant information one needs to have about digital signatures, the article is formulated in a way where I have tried to give you all the relevant information about digital signatures and digital signature certificates so that you need not search for any other article on the same issue.

So, let’s begin!

WHAT IS A DIGITAL SIGNATURE?

Signature, but digital!
Signature, but digital!

If you want to authenticate a document, you need to sign that particular document. In fact, signing is essential if you want to create a contract.

Signing a document means that we have given our consent to it; similarly for one to authenticate an electronic record one needs to have a digital signature and that digital signature is affixed in a particular electronic record. Section 2(p) of The Information and Technology Act, 2000 hereinafter referred to as the “Act” defines digital signature.

As per Section 3 of the Act, that particular authentication which is in the form of a digital signature is executed as asymmetric cryptosystem and hash function. 

In simpler terms, the digital signature which an individual has contains a pattern of algorithm mapping and when that is entered, it results in a hash result. 

This pattern exists because every time that algorithm is entered it results in the same result which is in the form of a hash result. 

Now, the purpose of this cryptosystem and “hash function” is to create a unique identity of a digital signature.

But first, what is a hash function?

Hash functions take a potentially long message as the input and generate a unique output value from the content. Since hashing is a one-way function, no one can reverse it to see the original input.

The person who is issued this signature is also granted a public as well as a private key for that particular electronic record so anybody who has subscribed for the public key of that electronic record can view it and the private key is with the original user.

DIGITAL SIGNATURE WHEN SECURE

As per the IT act, a digital signature is said to be a secure digital signature when it complies with the following conditions as mentioned below-:

  1. The digital signature has a cryptographic module in it which is used to create the key pair i.e. public key and private key.
  2. The private key that is used to create the digital signature is kept secure in the smart card or any other hardware; meaning a safe space.
  3. The hash result, when taken from a host system used to create the digital signature, is returned to the host system; to simplify things it means as I mentioned above in the introduction that digital signature is generated through a hash function and that hash function belongs to the host which means the original user of the digital signature. When that hash is used to create a digital signature then after the signature is formed it should be returned to its original user to avoid privacy infringement.
  4. The information stored in the smart card is solely under the control of the person who has created a digital signature.
  5. The digital signature can be verified with the public key mentioned in the digital signature certificate.
  6. The entire process of obtaining a digital signature complies with the rules mentioned in the IT act 2000.

A digital signature certificate is nothing but an authorization given by the certifying authority that a particular digital signature belongs to the original user who has applied for a certificate. 

It has a few more conditions to it which are mentioned below in pointers:-

  1. It has to comply with the provisions of the IT Act and rules and regulation made under the act.
  2. The applicant holds the private key which is in correspondence with the public key mentioned in the digital signature certificate.
  3. The private key which the applicant holds should be competent to create a digital signature.
  4. The public key which is listed in the  certificate can be used by the certifying authority (CA) to verify the digital signature with the help of private key which is affixed by the applicant.
  5. It has published the digital signature certificate or otherwise made it available to the applicant relying on it and the same has been accepted by the applicant.
  6. The subscriber’s public and private key constitute a pair.
  7. The information entered in the digital signature certificate is accurate.
  8. The certifying authority (CA) has no material knowledge of the fact, which if it would have been included in the digital signature certificate would violate any of the provision which has been mentioned from clauses (a) to (d) under section 36 of the IT Act.

WHY DO I NEED A DIGITAL SIGNATURE CERTIFICATE?

Corporate individuals require digital signatures for all their daily needs.

I am assuming that once you started reading this article the most recurring question in your mind must be as to why do you need a digital signature certificate in the first place. I have answered the “why” question below in pointers:-

  • Saves time and reduces the cost

Digital signatures can be used by you anywhere, anytime and won’t add up on cost or time. You can use digital signatures remotely which is a great time-saver.

  • Data security

The documents that are signed digitally cannot be altered or tampered after they are signed so this negates the chances of privacy infringement or if it is a stock trading company then the chances of insider trading are eliminated so digital signatures ensures safety and security of data.

  • Statutory compliance

In present times a lot of laws mandate the use of digital signatures so the most common example of that could be like there are corporations or even individuals for that matter who want their financial statements to get audited. So, to do that they need to file their income tax return mandatorily using a digital signature. Another example of that could be that if a company wants to get registered under the GST act then that company needs to get registered only by verifying the GST application and with the help of a digital signature which is a must.

Also if an individual wants to start a partnership under the LLP act (Limited Liability Partnership Act, 2008) then the first step to register for it is to obtain a digital signature certificate (DSC) without which you can’t get your partnership registered under the LLP act. The same rule applies if you want to start a company or NBFC business.

  • Monetary transactions

Sometimes the receipt and payment of money are to be done by using a digital signature, so it becomes very important to have a digital signature to execute those transactions.

COST OF OBTAINING A DIGITAL SIGNATURE CERTIFICATE

Any person who applies for a digital signature certificate shall not pay more than twenty-five thousand rupees to the certifying authority (CA) also the fee charged should be different depending on the class of the applicant.

CLASSES OF DIGITAL SIGNATURE CERTIFICATES

Certifying authorities have been granted a license to issue a digital signature certificate under section 24 of the IT Act. One can procure class I, II and class III certificates from certifying authorities like National Informatics Centre (NIC), IDRBT certifying authority, safescrypt, code solutions, e-mudhra, CDAC, NSDL, Capricorn, Verasys.

CLASS I Digital Signature Certificate     

This certificate is issued for individuals and business entities. This certificate ensures that the information provided by them in the application matches with the information entered in the customer databases. The verification requirements for this type of digital signature certificate (DSC) are DSC application form, Aadhar, E-KYC, and other relevant documents.  

CLASS II Digital Signature Certificate     

These are issued to the directors of the company for e-filing with the Registrar of Companies (ROC). 

The difference between the class I and II is that class II certificates are issued to businesses which have lesser risk related to the transactional value and other data. So this certificate is issued to those whose data is less sensitive and require lesser security. 

The documents required for this type of certificate are similar to what is mentioned for the class I certificate.

CLASS III Digital Signature Certificate     

These certificates are used on various platforms where bidding takes place in auctions or tenders held on online platforms. 

The requirements of the documents are the same as mentioned for the Class I and Class II certificates.

PROFESSIONALS WHO REQUIRE DIGITAL SIGNATURE CERTIFICATE

Under the guidelines issued by the ministry of corporate affairs, every authorized signatory of the company and also the professionals in those company who sign the documents and file the returns with the registrar of companies (ROC) is required to obtain a digital signature certificate (DSC). 

Therefore individuals who require a DSC include directors, CA’ auditors, company secretary whether in house or practising independently, banking personnel.

SUSPENSION AND REVOCATION OF DIGITAL SIGNATURE CERTIFICATES

The certifying authority (CA) is fully authorized to suspend the digital signature certificate on receipt of a request from either the subscriber of that certificate or any person authorized to act on behalf of the subscriber if it believes that the digital signature certificate should be suspended in public interest. 

The CA is under the obligation to communicate the same with the subscriber. However, a digital signature certificate shall not be suspended for more than fifteen days unless the subscriber has been given an opportunity to be heard in the matter.

The certifying authority (CA) can revoke the digital signature certificate under two situations – first, if he receives information either from the subscriber on any other persons acting on behalf of the subscriber authorized by him, in the case of death of the subscriber, in case of dissolution of the firm or winding up of the company when the subscriber is either a firm or a company. 

The second category of revocations includes that if the certifying authority (CA) finds any of the following issues, then he may revoke the digital signature certificate:-

  1. Any important fact mentioned in the certificate is either false or concealed.
  2. There was a requirement for the issuance of the digital signature certificate which was not satisfied.
  3. The certifying authority’s private key was compromised in a manner which affected the reliability of the digital signature certificate.
  4. The subscriber has been declared insolvent or dead or if he is a firm or a company the same has wound-up, dissolved or ceases to exist.

The revocation should be done by the (CA) communicating the same to the subscriber and the subscriber should be given the right to be heard.

OFFENCES RELATED TO DIGITAL SIGNATURE CERTIFICATE

There are certain offences related to the digital signature certificate which have been addressed in the following sections of the IT Act:-

Section 71 – Penalty for Misrepresentation

Whoever misrepresents or conceals any material fact from the certifying authority (CA ) to obtain the digital signature certificate shall be punished with imprisonment which may extend to two years depending upon the case or with fine which may extend to one lakh rupees or with both. 

Misrepresentation here means hiding any fact without the intention of hiding it would still attract the punishments mentioned under this section.

Section 72- Penalty for Breach of Confidentiality and Privacy

If any person in pursuance of the power conferred under this Act has secured access to any electronic record, book, register, correspondence, information, document or any other material and without the consent of the concerned person discloses the same information to any third party, the person shall be punished with imprisonment which may extend to two years or fine which shall be a maximum of rupees one lakh or both.

Section 72A- Punishment for Disclosure of Information in Breach of Lawful Contract

Any person who may be an intermediary who is acting in accordance with a lawful contract has access to the personal information about the other person discloses the same to any other person with the intention or knowledge that it may harm the other person is liable under this section and shall be punished with imprisonment which may extend to three years or with fine which may extend to five lakh rupees or both.

Section 73- Penalty for Publishing Electronic Signature Certificate False in Certain Matters

No person shall publish a digital signature certificate or make it available to any other person with having the complete knowledge that the Certifying Authority listed in the certificate has not issued it, or the subscriber listed in the certificate has not accepted it, or the certificate has been revoked or suspended, unless such publication was to verify the digital signature certificate before the revocation or suspension. 

Any person who contravenes this provision shall be punished with an imprisonment of two years or fine of one lakh rupees or both.

Section 74 – Publication for Fraudulent Purposes

Whoever knowingly creates, publishes or makes it available to any other person for any unlawful or fraudulent purpose shall be punished with imprisonment which may extend to two years or a fine which may extend to one lakh rupees or both.

So these were the offenses related exclusively to digital signature certificates, the punishment stated under these provisions are stringent and are listed with the aim to ensure safety and security of the electronic data.

WRAPPING IT UP

In conclusion, I would like to state that digital signatures and certificates are utmost important in the corporate world especially after certain acts mandates its use including the circulars of the ministry of corporate affairs which mandates the use of a digital signature.

Digital signatures have made the process in the company easy as now a person need not be physically present for him to carry on a financial transaction also the other affairs of the companies now can easily be managed with the help of a digital signature.

Digital signature ensures safety and security of data of the companies and also the financial transactions which are carried on by these entities. 

Now an electronic record cannot be altered or forged by any third party and any such effort would go in vain as digital signature has a private key which is with the original subscriber and the public key which is mentioned in the digital signature certificate can be used to verify the signature as to whether the signature belongs to a particular individual or not.

This has brought in great transparency in corporate dealings wherein companies need not worry about its important transactions and data.

SUGGESTIONS FOR IMPROVEMENT

But, there is always room for improvement. 

First is the user design. There have been issues regarding the signature not working in some applications or systems.

Therefore this aspect need to be improved. 

The signature should be made in a way which is flexible with any application on the web. 

Signature services should be compatible with multiple devices. At times, there is a lack of integration between the digital signature and the client’s application because of which there is a problem in the exchange of documents, emails etc.

The user has to carry the private key with himself which is either stored in the smart card or in the personal computer of the user. When a smart card is not in sync with the user’s PC, certain viruses or malware could attack the system and would sign in without the user’s permission which results in unauthorized access to the user’s sensitive information.

Digital signature services should be made more cost-effective so that more and more people can access this function. Digital signatures have a very important role to play without which one cannot think of a digitized economy. 

That’s all. Hope you liked the piece. If you did, do give it a share and if you have any questions, leave it down below in the comments and I will get back to you.

Read Next:

Author Bio: Shashwat Mishra is a BBA LL.B (Hons.) student at Kirit P Mehta school of law NMIMS, Mumbai and an intern at WinSavvy. Connect with him on LinkedIn.

Editor Bio: Chinmay Jain is a BA,LLB student from Institute of Law, Nirma University and an intern at WinSavvy. Connect with him on LinkedIn.

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top