Unit III

Legal Aspect of
Digital Signature
And
Electronic Signature

Unit III - Cyber Laws

 E - Governance
• New form of Governance – Dynamic and
exponential
• Needs dynamic laws, keeping pace with
technological advancement.
• Requires new set of laws to redefine old
structure of governance.
• E governance is about extending the rule of
law in the Cyberspace.

Unit III - Cyber Laws 2

 Legal Issues Surrounding E-Governance

• Primary issue – giving legal sanctity to basic

governmental functions and practices.

• IT Act, 2000 adapted “Functional equivalent

approach” in order to extend to extend offline
governmental functions and practices to
online environment.

Unit III - Cyber Laws

 E-Governance: Functional Equivalent Approach

Physical Governance E - Governance

Legal recognition to paper Legal recognition to
documents electronic records
Signatures Digital Signatures
Publication of official Publication of electronic
gazette gazette

Chapter III of the IT Act, 2000 gives legal

recognition to electronic governance.
Unit III - Cyber Laws
 Authentication of Electronic Records
• Subject to the provisions of section (3) of IT
Act 2000, any subscriber may authenticate an
electronic record by affixing his digital
signature.

• The authentication of the electronic record

shall be effected by the use of asymmetric
crypto system and hash function which
envelop and transform the initial electronic
record into another electronic record.

Unit III - Cyber Laws

 Authentication of Electronic Records (Cont…)

• “Hash Function” means an algorithm mapping or

translation of one sequence of bits into another,
generally smaller, set known as "hash result" such that
an electronic record yields the same hash result every
time the algorithm is executed with the same electronic
record as its input making it computationally infeasible:
(a) To derive or reconstruct the original
electronic record from the hash result
produced by the algorithm.
(b) That two electronic records can produce
the same hash result using the algorithm.

Unit III - Cyber Laws

 Authentication of Electronic Records (Conti…)

• Any person by the use of a public key of the

subscriber can verify the electronic record.
• The private key and the public key are unique
to the subscriber and constitute a functioning
key pair.

Unit III - Cyber Laws

 Legal Recognition of Electronic Records
• Section (4) of IT Act 2000 gives legal recognition to
E-records.
• Where any law provides that information or any
other matter shall be in writing or in the
typewritten or printed form, then, in spite of
anything contained in such law, such requirement
shall be deemed to have been satisfied if such
information or matter is—
a) Translated or made available in an electronic form;
and
b) Accessible so as to be usable for a subsequent
reference.
Unit III - Cyber Laws
 Legal Recognition of Digital Signatures

• Section (5) of IT Act 2000 gives legal recognition to

Digital Signatures.

• Where any law provides that information or any

other matter shall be authenticated by affixing the
signature or any document shall be signed or bear
the signature of any person then, notwithstanding
anything contained in such law, such requirement
shall be deemed to have been satisfied, if such
information or matter is authenticated by means of
digital signature affixed in such manner as may
be prescribed by the Central Government.

Unit III - Cyber Laws

Use of Electronic Records and Digital Signatures
in Government and Its Agencies
•Section (6) Sub Section (1) says
•Where any law provides for—
(a) the filing of any form, application or any other
document with any office, authority, body or agency
owned or controlled by the appropriate Government in
a particular manner;
(b) the issue or grant of any license, permit, sanction or
approval by whatever name called in a particular
manner;
(c) the receipt or payment of money in a particular
manner,

Unit III - Cyber Laws

 Section 6 (1)
Then, notwithstanding anything contained in
any other law for the time being in force, such
requirement shall be deemed to have been
satisfied if such filing, issue, grant, receipt or
payment, as the case may be, is effected by
means of such electronic form as may be
prescribed by the appropriate Government.

Unit III - Cyber Laws

 Section 6 (2)
•The appropriate Government may, for the
purposes of sub-section (1) of Section 6, by rules,
prescribe—
(a) the manner and format in which such
electronic records shall be filed, created or
issued;
(b) the manner or method of payment of
any fee or charges for filing, creation or
issue any electronic record under clause
(a).

Unit III - Cyber Laws

 Secure Electronic Record
• Section 14 of IT Act 2000, Gives definition of
Secured Electronic record.

• Where any security procedure has been

applied to an electronic record at a specific
point of time, then such record shall be
deemed to be a secure electronic record from
such point of time to the time of verification.

Unit III - Cyber Laws

 Secure Digital Signature
• If, by application of a security procedure agreed to by
the parties concerned, it can be verified that a digital
signature, at the time it was affixed, was—

(a) unique to the subscriber affixing it;

(b) capable of identifying such subscriber;
(c) created in a manner or using a means under the
exclusive control of the subscriber and is linked to
the electronic record to which it relates in such a
manner that if the electronic record was altered the
digital signature would be invalidated,

Unit III - Cyber Laws

 Secure Digital Signature
• Then such digital signature shall be deemed to
be a secure digital signature according to
Section 15 of IT Act 2000.

Unit III - Cyber Laws

 Duties of Subscriber
• Section 40 - Generating key pair.
• Section 41 - Acceptance of Digital Signature
Certificate.
• Section 42 - Control of private key.

Unit III - Cyber Laws

 Generating Key Pair
• Where any Digital Signature Certificate, the
public key of which corresponds to the private
key of that subscriber which is to be listed in
the Digital Signature Certificate has been
accepted by a subscriber, then, the subscriber
shall generate the key pair by applying the
security procedure.

Unit III - Cyber Laws

Acceptance of Digital Signature Certificate

• A subscriber shall be deemed to have

accepted a Digital Signature Certificate if he
publishes or authorizes the publication of a
Digital Signature Certificate—
(a) to one or more persons;
(b) in a repository, or otherwise demonstrates
his approval of the Digital Signature
Certificate in any manner.

Unit III - Cyber Laws

 Acceptance of Digital Signature Certificate
(Cont..)
• By accepting a Digital Signature Certificate the subscriber
certifies to all who reasonably rely on the information
contained in the Digital Signature Certificate that—
(a) the subscriber holds the private key corresponding to the
public key listed in the Digital Signature Certificate and is
entitled to hold the same;
(b) all representations made by the subscriber to the
Certifying Authority and all material relevant to the
information contained in the Digital Signature Certificate
are true;
(c) all information in the Digital Signature Certificate that is
within the knowledge of the
Unit III subscriber
- Cyber Laws is true.
 Control of Private Key
(1) Every subscriber shall exercise reasonable care
to retain control of the private key corresponding
to the public key listed in his Digital Signature
Certificate and take all steps to prevent its
disclosure to a person not authorized to affix the
digital signature of the subscriber.
(2) If the private key corresponding to the public
key listed in the Digital Signature Certificate has
been compromised, then, the subscriber shall
communicate the same without any delay to the
Certifying Authority in such manner as may be
specified by. the regulations.
Unit III - Cyber Laws
 Digital Signature Certificates

• CHAPTER VII - Digital Signature Certificates

• Section 35. Certifying Authority to issue Digital

Signature Certificate.

Unit III - Cyber Laws

What is Digital Signature Certificate
• Digital Signature Certificates (DSC) are the digital
equivalent (that is electronic format) of physical or paper
certificates.
• Examples of physical certificates are drivers' licenses,
passports or membership cards.
• Certificates serve as proof of identity of an individual for
a certain purpose; for example, a driver's license
identifies someone who can legally drive in a particular
country.
• Likewise, a digital certificate can be presented
electronically to prove your identity, to access
information or services on the Internet or to sign certain
documents digitally.
Unit III - Cyber Laws
 Certifying Authority to issue
Digital Signature Certificate
1. Any person may make an application to the
Certifying Authority for the issue of a Digital
Signature Certificate in such form as may be
prescribed by the Central Government.
2. Every such application shall be accompanied by
such fee not exceeding twenty five thousand rupees
as may be prescribed by the Central Government, to
be paid to the Certifying Authority
- Provided that while prescribing fees under sub-
section (2) different fees may be prescribed for
different classes of applicants
Unit III - Cyber Laws
Certifying Authority to issue Digital
Signature Certificate (Cont..)
3. Every such application shall be accompanied by a
certification practice statement or where there is no
such statement, a statement containing such
particulars, as may be specified by regulations.
4. On receipt of an application under sub-section (1),
the Certifying Authority may, after consideration of
the certification practice statement or the other
statement under subsection (3) and after making
such enquiries as it may deem fit, grant the Digital
Signature Certificate or for reasons to be recorded
in writing, reject the application.
Unit III - Cyber Laws
 Certifying Authority to issue Digital
Signature Certificate (Cont..)
• Provided that no Digital Signature Certificate shall be granted
unless the Certifying Authority is satisfied that—
(a) the applicant holds the private key corresponding to the
public key to be listed in the Digital Signature Certificate;
(b) the applicant holds a private key, which is capable of
creating a digital signature;
(c) the public key to be listed in the certificate can be used to
verify a digital signature affixed by the private key held by the
applicant;
• Provided further that no application shall be rejected unless
the applicant has been given a reasonable opportunity of
showing cause against the proposed rejection.
Unit III - Cyber Laws
Representations upon Issuance of
Digital Signature Certificate

• Section 36 - Representations upon issuance of

Digital Signature Certificate.

Unit III - Cyber Laws

 Representations upon Issuance of
Digital Signature Certificate (Cont..)
• A Certifying Authority while issuing a Digital Signature Certificate shall certify
that-
(a) it has complied with the provisions of this Act and the rules and regulations
made there under,
(b) it has published the Digital Signature Certificate or otherwise made it
available to such person relying on it and the subscriber has accepted it;
(c) the subscriber holds the private key corresponding to the public key, listed
in the Digital Signature Certificate;
(d) the subscriber's public key and private key constitute a functioning key pair,
(e) the information contained in the Digital Signature Certificate is accurate;
and
(f) it has no knowledge of any material fact, which if it had been included in
the Digital Signature Certificate would adversely affect the reliability of the
representations made in clauses (a) to (d).

Unit III - Cyber Laws

 Suspension of Digital Signature
Certificate.

• Section 37 - Suspension of Digital Signature

Certificate.

Unit III - Cyber Laws

Suspension of Digital Signature
Certificate (Cont…)
(1) Subject to the provisions of sub-section (2), the Certifying
Authority which has issued a Digital Signature Certificate may
suspend such Digital Signature Certificate—
(a) on receipt of a request to that effect from—
(i) the subscriber listed in the Digital Signature
Certificate; or
(ii) any person duly authorized to act on behalf of that
subscriber,
(b) if it is of opinion that the Digital Signature Certificate
should be suspended in public interest
Unit III - Cyber Laws
Suspension of Digital Signature
Certificate (Cont…)
(2) A Digital Signature Certificate shall not be
suspended for a period exceeding fifteen days
unless the subscriber has been given an
opportunity of being heard in the matter.

(3) On suspension of a Digital Signature

Certificate under this section, the Certifying
Authority shall communicate the same to the
subscriber.
Unit III - Cyber Laws
 Revocation of Digital Signature
Certificate

• Section 38 - Revocation of Digital Signature

Certificate

Unit III - Cyber Laws

Revocation of Digital Signature
Certificate
(1) A Certifying Authority may revoke a Digital
Signature Certificate issued by it—
(a) where the subscriber or any other
person authorized by him makes a request
to that effect; or
(b) upon the death of the subscriber, or
(c) upon the dissolution of the firm or
winding up of the company where the
subscriber is a firm or a company
Unit III - Cyber Laws
 Revocation of Digital Signature
Certificate (Cont..)
(2) Subject to the provisions of sub-section (3) and without prejudice
to the provisions of sub-section (1), a Certifying Authority may revoke
a Digital Signature Certificate which has been issued by it at any time,
if it is of opinion that—
(a) a material fact represented in the Digital Signature
Certificate is false or has been concealed;
(b) a requirement for issuance of the Digital Signature
Certificate was not satisfied;
(c) the Certifying Authority's private key or security system was
compromised in a manner materially affecting the Digital
Signature Certificate‘s reliability;
(d) the subscriber has been declared insolvent or dead or
where a subscriber is a firm or a company, which has been
dissolved, wound-up or otherwise ceased to exist
Unit III - Cyber Laws
Revocation of Digital Signature
Certificate (Cont..)
(3) A Digital Signature Certificate shall not be
revoked unless the subscriber has been given
an opportunity of being heard in the matter.

(4) On revocation of a Digital Signature

Certificate under this section, the Certifying
Authority shall communicate the same to the
subscriber.

Unit III - Cyber Laws

 Notice of Suspension or
Revocation

• Section 39 - Notice of suspension or

revocation.

Unit III - Cyber Laws

 Notice of Suspension or
Revocation
(1) Where a Digital Signature Certificate is suspended
or revoked under section 37 or section 38, the
Certifying Authority shall publish a notice of such
suspension or revocation, as the case may be, in the
repository specified in the Digital Signature
Certificate for publication of such notice.

(2) Where one or more repositories are specified, the

Certifying Authority shall publish notices of such
suspension or revocation, as the case may be in all
such repositories.
Unit III - Cyber Laws
 E-sign
For creating electronic signatures, the signer is required to obtain a
Digital Signature Certificate (DSC) from a Certifying Authority (CA)
licensed by the Controller of Certifying Authorities (CCA) under the
Information Technology (IT) Act, 2000. Before a CA issues a DSC,
the identity and address of the signer must be verified. The private
key used for creating the electronic signature is stored in hardware
cryptographic token which is of one time use. This current scheme of
in-person physical presence, paper document based identity &
address verification and issuance of hardware cryptographic tokens
does not scale to a billion people. For offering fully paperless citizen
services, mass adoption of digital signature is necessary.
A simple to use online service is required to allow everyone to have
the ability to digitally sign electronic documents.

4/24/2019 Unit III - Cyber Laws

 Features of e-sign
• Easy and secure way to digitally sign information anywhere, anytime -
eSign is an online service for electronic signatures without using physical
cryptographic token. Application service providers use e-KYC service to
authenticate signers and facilitate digital signing of documents.
• Facilitates legally valid signatures - eSign process includes signer consent,
Digital Signature Certificate issuance request, Digital Signature creation
and affixing as well as Digital Signature Certificate acceptance in
accordance with provisions of Information Technology Act. Comprehensive
digital audit trail, in-built to confirm the validity of transactions , is also
preserved.
• Flexible and easy to implement - eSign provides configurable
authentication options in line with e-KYC service and also records the e-
KYC ID used to verify the identity of the signer. The authentication options
for eKYC include biometric or OTP of the e-KYC service provider. eSign
enables eSign users easy access to legally valid Digital Signature service.

4/24/2019 Unit III - Cyber Laws

• Respecting privacy - eSign ensures the privacy of the signer
by requiring that only the thumbprint (hash) of the document
be submitted for signature function instead of the whole
document.
• Secure online service - The eSign service is governed by e-
authentication guidelines. While authentication of the signer
is carried out using e-KYC services, the signature on the
document is carried out on a backend server of the e-Sign
provider. eSign services are facilitated by trusted third party
service providers - currently Certifying Authorities (CA)
licensed under the IT Act. To enhance security and prevent
misuse, eSign user’s private keys are created on Hardware
Security Module (HSM) and destroyed immediately after one
time use.

4/24/2019 Unit III - Cyber Laws

 Digital Locker
• A digital locker or cyberlocker is an online file or
digital media storage service. Files stored include
music, videos, movies, games and other media. The
term was used by Microsoft as a part of its Windows
Marketplace in 2004.By storing files in a digital
locker, users are able to access them anywhere they
can find internet connections. Most (but not all)
digital locker services require a user to register. Prices
range from free to paid, and various combinations
thereof.

4/24/2019 Unit III - Cyber Laws

 Stakeholders of digital locker
• The three key stakeholders of the DigiLocker platform are
citizens, issuers and requesters. Let’s see how these
stakeholders interact with the DigiLocker:
• Citizens
• Citizens can store or access their documents using the
DigiLocker. They can store either an uploaded or issued
document on the DigiLocker.[11]
• Uploaded document: Citizens may upload scanned copies of
their important documents including the driving license,
voter’s ID card (EPIC), passport, marks sheets, income tax
statements, etc. They can use the DigiLocker to submit a
digitally signed copy to a government agency if required by
that agency. However, the agency must be registered as a
requester with the DigiLocker.
4/24/2019 Unit III - Cyber Laws
• Issued documents: These are e-documents that have been
issued on the DigiLocker by a registered issuer who pushes
the Uniform Resource Indicator (URI) of the e-documents to
the digilockers of citizens, based on their Aadhaar numbers.
These are stored in a central repository, and citizens can see
and share their respective URI links.
• Issuers
• Various government agencies are registered with DigiLocker
as issuer and they can issue e-documents to citizens. These
agencies include CBSE, Registrar Office, Income Tax
Department, and so on. In 2016, CBSE issued the class 12th
result, while NEET issued the rank letter, on DigiLocker. Also,
all the CBSE results now onwards would be issued on
DigiLocker. DigiLocker also provides the facility for issuers to
issue legacy data but that would require Aadhaar seeding in
the issuers’ legacy databases.
4/24/2019 Unit III - Cyber Laws
• Requesters
• A requester, in the context of DigiLocker, is a government
department that offers citizen services (the revenue
department, a passport office or a municipality) or an
organisation that requires documentation (banks, telcos, etc.).
In order to provide a government service, a government
agency needs to ascertain an individual’s identity, age or
nationality, for which various standard and supporting
documents issued by multiple government agencies may be
required. In order to provide its services, the requester can
request for digital versions of those documents and accept
those online through the DigiLocker.

4/24/2019 Unit III - Cyber Laws