The following two incidents reported from India reveal the status of Digital Literacy in India. (Digital Literacy in this context is measured by the ability of a person to sign an electronic document in a manner acceptable in law). Mr A approaches a licensed Certifying Authority through an authorised dealer and applies for a digital certificate. A few days later the dealer hands over an USB drive stating that it contains the “Digital Signature”. The drive contained the private key and the digital certificate of the applicant. The dealer had obtained a new e-mail ID for the applicant at yahoo mail which had been used for the certificate. In another incident, Mr B approached another certifying authority with the application duly completed. The dealer came back after two days with a USB key containing digital certificate and private key of the applicant. The digital certificate had as its e-mail ID parameter, the dealer’s e-mail address. Many of the readers would perhaps appreciate the customer friendly nature of these dealers and say, “Wah! In India, Digital Certificate Issue has become a truly customer oriented service”. But to people who understand the legal aspects of Digital Signatures in India, the two incidents reflect the extreme poverty of Cyber Law Awareness in India which could soon kill the system of Digital Signatures in India. Why do I make such a drastic statement? What is wrong in the customer service exhibited by the above two dealers?.. Let me explain. India entered the era of Digital Contracts on October 17, 2000 when the basic law of the digital society was notified in the form of Information Technology Act 2000. One of the most important aspects of this legislation was that the country adopted a regime of authentication of electronic documents using “Digital Signatures”. The Indian digital signature system is based on public key infrastructure managed by licensed certifying authorities. Accordingly, the digital signature aspirant has to obtain a digital certificate from one of the licensed certifying authorities after making an application and providing proof of his physical society identification. In order to provide judicial non repudiation to the system, the digital certificate issue adopts a process where the applicant interacts with the digital certificate issue server, generates the private key-public key pair in his computer, sends the public key to the certificate server and gets it back as the digital certificate. In this process the private key never leaves the applicant’s computer and even the Certifying Authority is not having a copy of the digital certificate. This is the critical feature of the process which provides the judicial support to the system of digital signatures as a means of authentication. In both the above cases, the dealers themselves created the key pairs and later sent the private key to the customer. This means that the private key has been compromised ab-initio. Hence the process of digital certificate issue adopted by the two agents is illegal. If there is a PIL explaining the risks inherent in the above manner in which India’s leading Certifying Authorities handle Digital Certificate Issue in India, the Court would declare that the entire system of digital signatures should be considered judicially non acceptable. This is a reflection of the extent of digital illiteracy that prevails in India and puts a question mark on the Government of India’s recent decision to introduce mandatory use of digital certificates in certain transactions with the public. I will discuss more about this in the next part.

Naavi

www.naavi.org

Be Sociable, Share!