India adopted a PKI based system of authentication of electronic documents through the Information Technology Act 2000 (ITA 2000). Subsequently the office of Controller of Certifying Authorities (CCA) was set up which licensed several Certifying Authorities (CA) and notified relevant technology and procedures. With the push given by the Ministry of Company Affairs (MCA) and the Income Tax (IT) departments making use of digital signatures mandatory in certain respects, more than a million digital signature customers have been created in India.

  These million plus digital signature certificate holders are “Consumers” under the Consumer Protection Act and there is a need to ensure that these “Law Compliant Netizens” are adequately supported by the regulatory system.

The one organization which is rightly placed to initiate action on “Protecting the Interest of Digital Certificate Holders in India”  is the Controller of Certifying authorities. (CCA).  Presently the CCA is restricting itself to the duties associated with the licensing of CAs. This is once a five year work for the 8 licensed CAs and some monitoring work in between. The ITA 2000 envisaged maintenance of online revocation list and a repository as a responsibility of CCA. Though CCA has recently floated a EOI in this regard, the amendments to ITA 2000 (ITA 2008) has already shifted the liability to maintain the real-time revocation list and repository to the individual CAs. The undersigned feels that despite this legal sanction, CCA should continue to maintain the revocation and repository since it has some statutory significance.

Additionally, the undersigned has been bringing to the notice of authorities that some of the digital signature systems issued by the licensed CAs is not universally compatible with all applications. Some are compatible only with MCA application making them useful only for once a year signing of the return. If these had also been compatible with e-mail clients, holders of these certificates can use them through out the year.

Some CAs are issuing Certificates which are compatible only with Windows XP and not Windows Vista.

Most CAs have consumer unfriendly procedures regarding revokation and re issue of certificates.

Recently, I came across a case where the Certificate from Safescrypt has been issued to a customer using his @yahoo.com e mail address. Now this certificate cannot be used for e-mail signing unless the person subscribes to a premium version of yahoo mail. When queried if the e-mail address can be changed to a gmail address which can be operated with a POP access , the service provider insists that a new certificate has to be obtained. This is legally untenable since the certificate is issued to the individual and the e-mail address is only one of the reference parameters which the user must have option to change if required.

 In another incident, I came across a Certificate issued by TCS where the e-mail address noted in the certificate belongs to the agent of the CA and not that of the certificate holder. This indicates that the certificate was downloaded by the agent and therefore it is void ab-initio. Use of this certificate also makes the user contravene Section 73 of ITA 2000 and makes him punishable with imprisonment of 2 years. If this has to be corrected, the user would be required to buy a new certificate.

There are also issues where new certificates are required when the user changes his operating system or his operating system crashes or the user suspects compromise of his certificate. In all these cases unless there is a free exchange of certificate the consumer would be forced to shell out money again and again for the certificate. This is unacceptable to the consumers.

CCA is today the only organization which has a role in setting the system in order and ensure that consumers of digital certificate service are satisfied. It is necessary for CCA to set up a separate section to deal with Consumer issues and take responsibility for addressing any consumer issues. There has to be a grievance redressal mechanism, appointment of an ombudsman to meet consumer complaints etc.

The CCA some time back floated a tender for development and distribution of a digital signature tool which was subseqeuntly abandoned. A tender was also floated for an out reach programme which was also then sub contracted to CDAC and forgotten.

Now there is a need to look at the involvement of CCA in more out reach programmes. This is a duty cast on this statutory position and I urge that the CCA takes some concrete steps to strengthen the Digital Signature system in the country.

The amendments to ITA 2000 has enabled introduction of new means of authentication of electronic documents that may co exist with the current system of Digital Signatures. Though the notification of the date of effectiveness of the amendments is still awaited, it is time for the industry to start working on alternate systems which can improve the existing digital signature system as well as introduce new systems. The report on MD5 collisions (See here) makes it necessary to immediately consider some means of replacement. It is understood that the Government may be considering notification of SHA256 as another approved algorithm so that it can be incorporated in Digital Signature systems by the licensed Certifying Authorities.(CA). Along with this we may also consider dual hashing of MD5 and SHA 1 to eliminate the collision risks indicated by the research report mentioned earlier.

CCA has to make moves in conducting technical research in the development of new algorithms for digital signature as well as development of new electronic signatures.

Recently, an US Company conducted a marketing campaign in Bangalore to promote their digital signature system which was not Cyber Law Compliant since the system envisaged storing of the private key in a server. I pointed out that the system is not acceptable in the Indian law and it needs to be submitted for approval to CCA before being commercially marketed. It appears that the Company has not taken any action in this regard and probably some of the prospective customers who attended the promotional seminar at that time which included several Bankers might have taken steps to implement the system.

It is necessary for CCA to be watchful of such developments and take steps to ensure that faulty systems donot become fait accompli after some time.

Similarly,  many companies in India use server certificates from unlicensed certifying authorities.

 I also pointed out in a recent adjudication discussion on a phishing case that Reserve Bank of India (RBI) has virtually mandated the use of digital signatures in Banks for a legally compliant authentication system. However this is being ignored by most Bankers putting the customers under risk. The Government which has mandated individual citizens to mandatorily use digital signatures for filing MCA returns and created a million users, has not found it necessary to mandate the Banks that above a particualr amount (say “Withdrawals in excess of Rs 10000/- in a day) should use digital signature based authentication system. At least the million current holders of digital certificates can then think of putting their investment in digital certificates to better use. (Provided we ensure that the certificates are compatible for the Bank access).

It is the responsibility of the CCA to ensure that the RBI makes it mandatory that digital signatures are used in all customer communication by Banks so that a phishing mail is easily identified by the customers.

 Recently RBI has also introduced Mobile Banking. It is time that CCA should initiate how digital signatures can be used in mobile banking transactions. This requires certain changes at the Mobile service providers level and CCA has the responsibility to tell RBI that the system is not ready for secure mobile banking and any premature introduction would be detrimental to the interest of the public.

All this means that the office of CCA has to transform itself into a consumer friendly organization and proactively take steps to ensure a more secure digital society in India.

I wish Mr N Vijyaditya who has taken over not so long ago as the CCA would address these requirements without any further delay.

I also wish users of digital certificates in India organize themselves  into an “Association of Digital Certificate Users in India” and assert their rights as a consumer. I have suggested many Consumer activists to take the lead in this direction and Naavi.org would be glad to support such initiatives. Such leads can also be taken by institutions such as National Law School Bangalore  or other academic institutions interested in consumer law education as a service to the community.

Comments are welcome at naavi@vsnl.com

naavi of www.naavi.org

Be Sociable, Share!