Special RepoRt

Business Recorder, Karachi

Monday, October 3, 2022 11

M E S S A G E S Electronic Certification Accreditation Council (ECAC)

Amin-ul-Haq
Federal Minister, IT
I am delighted to felicitate
Electronic Certification
Accreditation Council
(ECAC) management and
employees on Establishment
of Public Key Infrastructure
(PKI) for National Root
Certification Authority.
ECAC, being the regulator of
security in the cyber space is
to provide state of the art cer-
tification & cryptography
services. With the develop-
ment of PKI Infrastructure,
ECAC being the Root
Certification Authority is
now capable of providing the
Certification Services which
result in creation of trust and
authentication of the end
users.
Under Digital Pakistan
Programme, Ministry of IT &
Telecom is taking concrete
steps to promote the e-educa-
tion, e-health, e-agriculture,
e-commerce, innovation,
entrepreneurship, incubators
and Startups. For all these,
availability of secure and
reliable hosting platform is
the pre-requisite, ECAC is
providing reliability of these
platforms in shape of
National Root Certification
Authority (PKI) of Pakistan
with state of the art latest
technology.
Today, in the developed
world, PKI governs the
issuance of digital certificates
to protect sensitive data, pro-
vide unique digital identities
for users, devices, applica-
tions and secure end-to-end
communications. PKI is
based on electronic ecosys-
tem and in Pakistan,
Electronic Transaction
Ordinance (ETO) provides
for legal recognition of the
digital signature based on
cryptographic systems.
Digital Signatures are now
being accepted at par with the
handwritten signatures and
electronic document which
are digitally signed have
become at par with the paper
documents so now the time
has come for leveraging more
and more from this and
develop and deliver more
secure and reliable systems
using PKI to address the
major trust and security chal-
lenges to Pakistan.
It is very encouraging to
see that ECAC has adopted
the latest technology avail-
able in global market and
ensuring the provisioning of
best solutions for digital sig-
natures. I have confidence
that ECAC will keep on
building its capacity in same
way to cope with emerging
challenges during the journey
to “Digital Pakistan”. I
appreciate ECAC perfor-
mance and congratulate
ECAC Management for the
phenomenal development of
National Root PKI infrastruc-
ture for the Public and
Private Sector and wish them
all support and success.
Mohsin Mushtaq
Federal Secretary, IT
I extend my heartiest
congratulations to
Electronic Certification
Accreditation Council
(ECAC) on Establishment
of Public Key
Infrastructure (PKI) for
National Root
Certification Authority.
Now, ECAC is in the posi-
tion to regulate and
accredit local and foreign
Certification Service
Providers for provision of
Digital Certificates and
Electronic Signature
Services to the end users.
Ministry of Information
Technology and
Telecommunication under
the Government’s vision
of “Digital Pakistan” is set
to contribute in digitaliza-
tion by enhancing securi-
ty, efficiency and trans-
parency being pre-requi-
site for good governance.
ECAC can now be a part
of this vision and put in its
efforts to achieve this goal
and bring Pakistan among
the technology enabled
countries.
ECAC was created to
regulate security for
cyberspace through usage
of Digital Certificates and
to accredit Certification
Authorities (CA’s) from
Public and Private Sectors
under the Pakistan
Electronic Transaction
Ordinance (ETO) 2002.
Under the chairmanship of
Engr. Miraj Gul and
Council Members, ECAC
has successfully complet-
ed an internationally rec-
ognized system to issue
and recognize Electronic
Certificates. These
Electronic Certificates,
based on Public Key
Cryptography, are the only
means to identify and trust
on interacting parties
(such as individuals, web-
sites, organizations, etc.)
for any national or inter-
national transactions in the
digital world. Now, ECAC
will be recognized as an
arm of the Government for
creation of trust and secu-
rity in the digital environ-
ment.
I commend ECAC man-
agement and employees
for development of PKI
for National Root
Certification Authority
facilities for the Public &
Private Sector for achiev-
ing digital transformation
goal. This state of art
infrastructure enable
ECAC to commence its
digital certification ser-
vices for national needs
and at international level
as well.
Best wishes and support
to Council and its team for
success in development of
first ever National Root
Certification Authority for
the country.
Digital Economy is transform-
ing the way businesses, govern-
ments and societies interact and
operate. A tremendous revolution
in the world of communication
has led to change the means of
business transactions what we call
E-commerce or Electronic Data.
With the development of E-com-
merce over the globe, legislations
have been made throughout the
world to regulate the E-com-
merce. The convenience and flex-
ibility of the services and products
available on the Internet have
meant that all aspects of our lives
are now increasingly being digi-
tized. However, there is also an
increasing concern about the pri-
vacy and security of the individu-
als and organizations, alike. To
this end, electronic certificates, are
commonly used to ensure higher
levels and assurances of electronic
identities and content integrity of
electronic transactions. In fact, the
use of electronic certificates to
enhance security and privacy has
now gained global acceptance in
both the public and private sec-
tors.
ELECTRONIC TRANSAC-
TIONS ORDINANCE (ETO)
2002
Like other countries of the
world, in Pakistan legislation has
been formulated under the
Electronic Transactions
Ordinance (ETO) 2002. The legal
framework of ETO regulates the
electronic transactions and pro-
vide means to recognize all elec-
tronic data and electronic signa-
tures in term of their validity or
invalidity. The objective was the
establishment of legal obligations
on one side and the recognition of
electronic records on the other
side.
ELECTRONIC CERTIFI-
CATION ACCREDITATION
COUNCIL (ECAC):
Engr. Miraj Gul
Chairman ECAC
ECAC has been established by
the Federal Government of
Pakistan under Section-18 of the
Electronic Transactions
Ordinance (ETO), 2002 as an
autonomous body and operates
under the Ministry of Information
Technology & Telecom
(MoITT), Government of
Pakistan. It provides a legal
framework to recognize and facil-
itate documents, records, informa-
tion, communications, and trans-
actions in the electronic form
enabling digital signatures to be
accepted at par with handwritten
(wet) signatures. ECAC is man-
dated to grant accreditation to any
Certificate Service Provider
(CSP) who intends to work as an
Accredited Certificate Service
Provider. All companies, individ-
uals or firms engaged in the busi-
ness of electronic services are
required to get themselves accred-
ited with ECAC in their own
business interests. The Certificate
of Accreditation aims to make
electronic transactions more
secure, more reliable and world-
wide acceptable.
COUNCIL COMPOSI-
TION
Present Council Members
comprises of:
1. Engr. Miraj Gul – Chairman
2. Mr. Shahzad Sami – Member
3. Mr. Ghulam Mustafa –
Member
4. Mr. Abdul Wahid Khan –
Member
DIGITAL SIGNATURE
CERTIFICATES
A digital signature is a specific
type of electronic signature (e-sig-
nature) which relies on public-key
cryptography to support identity
authentication and provide data
and transaction integrity and
Digital Signature Certificates
authenticate your identity elec-
tronically. It also provide a high
level of security to online transac-
tions by ensuring absolute privacy
of the information exchanged
using a digital certificate. One can
use digital certificates to encrypt
information such that only the
intended recipient can read it. You
can digitally sign information
with assurance to the recipient
that it has not been changed in
transit, and also verify your identi-
ty as the sender of the message.
Unlike a handwritten signature, a
certificate-based signature is diffi-
cult to forge because it contains
encrypted information that is
unique to the signer.
ECAC TO SECURE E-
COMMERCE
The E-Commerce policy
framework of Pakistan, is a mon-
umental achievement and a major
step towards the realization of the
“Digital Pakistan”. We believe
this is an extremely positive
development and would indeed
result in economic prosperity for
the nation through the promotion
of E-Businesses, the creation of
jobs for the youth and numerous
opportunities for the IT industry
of Pakistan. Within a digital econ-
omy/country, the elements of trust
& security form the foundation on
top of which digital systems, ser-
vices, and businesses must be
built. Moreover, the E-
Commerce Policy of Pakistan has
stressed on the importance of
establishing effective data protec-
tion as well. As electronic digital
signatures and certificates are
essential components of every E-
Commerce and digital system,
hence, to ensure security and
establish trust in the system, I
believe the ECAC will play a piv-
otal role in the success and real-
ization of the Digital Pakistan
vision and the E-Commerce
Policy of Pakistan.
ECAC CONTRIBUTION
TO DIGITAL PAKISTAN
VISION
Establishing TRUST in any
on-line transaction is a fundamen-
tal requirement for Digital
Pakistan. ECAC through creation
of trust is committed to achieve a
secure ‘Digital Pakistan’ — a
vision of Govt. of Pakistan in fol-
lowing sectors:
a) E-Governance
b) E-Tax
c) E-Health
d) E-Education
e) E-Banking
f) E-Procurement Etc.
ETO provides required legal
sanctity to the digital signatures
and these can now be accepted at
par with handwritten signatures.
All Companies, Individuals,
Firms engaged in Electronic
transactions and Encryption ser-
vices are mandated under ETO to
be accredited from ECAC to
make electronic transactions more
Secure, Reliable and worldwide
acceptable.
ETO is mainly focused on the
security of electronic transactions
that follows standards mentioned
in the ECAC Certificate Service
Providers Regulations. i.e.
ISO21188, ISO 27006, ISO
...... on page II

Where you need trust, you need PKI

PKI IS TRUSTED TO
SECURE EVERYTHING
FROM THE BOTTOM OF
THE OCEAN TO THE EDGE
OF SPACE
When British cryptologists
James Ellis and Clifford Cocks
first developed the idea of “non-
secret encryption” in the 1970s,
they could not have conceived
of its use across tens of millions
of websites around the world.
At that time, the Internet was
still a DARPA project, used
infrequently to connect universi-
ty researchers looking to share
data or findings.
Within a few decades, the
world had changed, and Ellis
and Cocks’ public key infra-
structure stood at the centre of
the Information Age as the
shield against hacking and
fraud. To this day, if a website is
trusted, that trust is the result of
PKI.
But the invention of the world
wide web—which, by itself,
would have been enough to
define an era of human develop-
ment—was immediately fol-
lowed by a second revolution in
connected devices. Practically
overnight, everything from
refrigerators to space shuttles
and online shopping to banking
apps became a part of a global
ecosystem of networks, devices,
applications and users, all com-
municating across distances.
Imran Ashraf
Head of PKI Business,
NIFT (Pvt) LTD.
Imran Ashraf is helping
companies to leverage the
power of PKI and blockchain.
His area of intrest is CBDC,
NFTs and super wallets. He is
a founding member of the first
PKI Certificate Authority in
Pakistan. He is also a Certified
Computer Hacking Forensic
Investigator, and Digital
Identity solutions expert.
The speed of growth was and
continues to be, so rapid it can
only be measured by orders of
magnitude, and as hundreds of
thousands of people develop
new ideas for connecting mil-
lions of people to billions of
things, the need for strong secu-
rity has climbed at an exponen-
tial rate.
For all the good created by
the Information Age— from
cultural exchange to advances in
medical care—this massive net-
work of communication has
offered up new possibilities for
opportunists and criminals to
take advantage of our users and
an easy willingness to trust in
the technology
The solution to this threat is
simple. Build the highest assur-
ance into everything that’s con-
nected. Public Key
Infrastructure (PKI) is that foun-
dational assurance. A security
and identity solution that’s reli-
able enough to protect the most
sensitive data, but flexible
enough to work on the latest and
greatest inventions. With PKI,
the only thing we need to focus
on is enjoying the benefits of a
world that can communicate
almost instantaneously across
the globe—and even into space.
PKI infrastructure serves as a
certificate authority (CA) for
your internal and external users,
issuing and administering digital
certificates by your own organi-
zation's policies. Your users can
use a PKI Services application
to request and obtain certificates
through their web browsers over
mobile phones devices and per-
sonal computers.
NIFTeTRUST is the First
Certificate Authority (CA) in
Pakistan established under
NIFT (Pvt) Ltd. and VeriSign
Inc in 2004. It is the most trust-
ed name in the region, providing
PKI services to the various
industry segments of Pakistan.
With its datacenter certified to
international standards, X9.79
and ISO-27001 and ISO-21188
NIFTeTRUST have paved way
for the organizations to operate
online businesses safely and
securely under a Trust hierar-
chy. It provides services which
ensure the security and safety of
commerce and communica-
tions, addressing issues such as
authentication, confidentiality or
privacy, non-repudiation, and
data integrity over the Internet.
NIFTeTRUST, now working
with DigiCert and Sectigo for
internationally trusted PKI cer-
tificates. Besides that, we have
our own indigenous build pri-
vate CA hierarchy setup that
offers the same features.
On this historical occasion,
NIFT congratulate Electronic
Certification Accreditation
Council (ECAC) to establish
Public Key Infrastructure for
globally recognized National
Root Certification Authority.
This will enable Pakistan to
enter into the league of technol-
ogy-enable nations of the world.
This National Root CA will aid
interpretability of trust to local
indigenously build CAs in a
hierarchical manner where
National Root CA will act as the
final point of trust.

PKI is Easy with Khazana e-Trust

In the past, PKI was
complicated. Without
access to experts and sim-
plified management plat-
forms and tools, individ-
ual IT professionals had
to take on the risky
prospect of developing
PKI solutions in-house,
without the specialized
knowledge required for
proper deployment. Its
reliability made PKI the
ideal solution—once it
was running—but getting
there used to be challeng-
ing and often resulted in
more problems than it
Ahsan Rasheed Khan
Chief Commercial Officer -
Khazana Enterprise
solved.
Thankfully, those days
are long past. Today, PKI
can be simple to set up
and use, if it’s done prop-
erly. Sophisticated tools
for deploying and moni-
toring PKI solutions now
run in a single sign-on
platform. And because
PKI is so versatile, it’s
easy to run solutions for
many different security
challenges in one place.
Instead of dealing with
the complexity of building
a PKI solution for one use,
Khazana e-Trust has
developed Managed
Services for its customers
which can deploy and
manage multiple security
solutions in one place—
and you don’t need any
expertise to stand up and
run your PKI environment.
Khazana enterprise con-
gratulate Electronic
C e r t i f i c a t i o n
Accreditation Council
(ECAC) for establishing
National Root
Certification Authority.
This National Root CA
will establish countrywide
trust for the brighter
future as per the vision of
digital Pakistan.

Welcome to the Digital Pakistan

The world has gone digital and
like many other countries, Pakistan
is also on a journey of Digital
Transformation, as can be witnessed
through several government policy
initiatives. Digital transformation
offers business efficiencies,
improved user experiences, cost
reductions, better security, and
importantly it’s better for the envi-
ronment. The digital transformation
benefits for Pakistan are widespread
and across every sector, including:
- E-Government: for citizens and
businesses accessing e-govern-
ment services
- E-Business: whether its
Business-to-Business (B2B) or
Business-to-Consumer (B2C)
or Business-to-Employee (B2E)
- E-Commerce: online retailing,
virtual marketplaces, placing
orders and making payments
online
Faisal Bashir Other industry or sector specific
GM IT - NTC digitization initiatives include
Health, Justice, Procurement,
Invoicing, billing, statements etc.
Any analog process which requires
an in-person meeting or ink-signa-
ture on paper can be replaced with a
more secure and efficient digital
process.
To be successful, digital process-
es must be Trustworthy. This
means:
1) You know who you are dealing
...... on page II

Electronic Certification Accreditation Council (ECAC)
...... from page II
27001 and ISO 27002 for CSPs.
INFORMATION SECURI-
TY AUDITORS
ECAC under its regulations reg-
isters Information Security Audit
Companies that can be engaged by
the Electronic Certification Service
Providers to conduct an informa-
tion security audit of Digital
Certificate Service Providers facili-
ties under the Electronic
Certification Accreditation Council
Regulations.
ECAC AS A MEMBER OF
WORKING GROUP IV of the
United Nations Commission on
International Trade Law (UNCI-
TRAL)
Multilateral arrangements
between national accreditation
bodies and members of United
Nations Commission on
International Trade Law have
also helped to make accreditation
an internationally recognized
‘stamp of approval’ to demon-
strate compliance against agreed
standards and requirements.
These arrangements provide gov-
ernments and regulators with a
credible and robust framework on
which to further develop and
enhance government-to-govern-
ment bilateral and multilateral
international trade agreements.
ECAC understands the impor-
tance of international collabora-
tions for development of interna-
tionally acceptable regulations
and mechanisms for secure elec-
tronic transactions. In the context,
ECAC’s delegation participated
in-person in 62nd UNCITRAL
Welcome to the Digital Pakistan
...... from page II
with electronically, whether it’s
a user, a business, or a device.
2) Any information, e.g., an e-
Contract, sent electronically
remains authentic i.e.,
unchanged, and if signed the
sender can’t later deny having
signed it. Conversely a fraudster
must not be able to copy or fake
anyone’s e-signature.
The world-wide standard for
delivering digital trust is PKI (public
key infrastructure). PKI is a com-
plete system consisting of physical,
procedural, personnel and technical
components which work together to
issue trusted digital certificates to
end-users, businesses or devices
which contain the holder’s identity
information. These digital certifi-
cates and linked cryptographic keys
can then be used to authenticate the
holder and allows them to create
verifiable digital signatures. A digi-
tal certificate is only issued after
thorough verification of the owner’s
real-world identity. The important
Ad
27x4
(United Nations Commission on
International Trade Law) Session
held in Vienna, Austria for the
first time. Pakistan’s representa-
tion depicted a strong commit-
ment to develop a strong platform
to secure and protect the
Electronic Transactions rapidly
growing under Digital Pakistan
policy of the Ministry of IT &
Telecom (Govt. of Pakistan).
ECAC officers’ Participation
in 62nd UNCITRAL Session
ESTABLISHMENT OF
PUBLIC KEY INFRASTUC-
TURE (PKI)
ECAC, to fulfill the mandatory
obligation under ETO 2002, initi-
ated the process for establishment
of Public Key Infrastructure (PKI)
for National Root Certification
Authority (CA). ECAC’s PKI is
inevitable to enable high level of
assurance in E-Transactions of the
Country. This PKI infrastructure
ECAC officers’ Participation in 62nd UNCITRAL Session
is the set of technology and
processes that make up a frame-
work of encryption to protect and
authenticate digital communica-
tions. PKI uses cryptographic
public keys that are connected to a
digital certificate, which authenti-
cates the device or user sending
task of issuing digital certificate
can’t be undertaken by just anyone,
instead only trusted authorities
known as Certificate Authorities
(CAs) or Trust Service Providers
(TSPs) can provide this service.
From a legal perspective it is
important that electronic transactions
are admissible in a court as evidence,
and this is exactly why in Pakistan
the Electronic Transaction Ordinance
(ETO 2002) was enacted. It is impor-
tant that all TSPs issuing digital cer-
tificates in Pakistan are operating at
the same high-level of security and
trustworthiness. To serve this pur-
pose the ETO created a role for
Electronic Certification Accreditation
Council (ECAC) as an autonomous
body to audit TSPs against defined
security guidelines as part of a formal
accreditation process. Multiple TSPs
can exist within Pakistan to serve dif-
ferent government and commercial
markets and specific use cases e.g.,
banking, healthcare etc.
To aid Interoperability of trusted
electronic transactions throughout
Pakistan and even Internationally,
the digital communication. It will
be globally recognized through
Web-Trust audit as per interna-
tional standards. Today, I am
proud to announce the launch of
first ever PKI for National Root
Certification Authority of the
Government of Pakistan. This
first Root CA at the National level
will be world wide recognized
and facilitate in securing the E-
Transactions & ensuring data
integrity, data confidentiality,
strong authentication & non-repu-
diation. Moreover, will ensure
trust, confidence & ease of doing
business for online services to the
citizens of Pakistan.
Establishment of National Root
Certification Authority (CA)
Accreditation of Certifications
Service Providers (CSPs), is one
of the main functions of the
Council, to provide legal sanctity
to digital signatures based upon
the principle of equivalence to
handwritten (wet) signatures.
ECAC through National
Telecom Corporation (NTC) at
it’s cloud-based Data Centre
premises has successfully
achieved launching of effective
implementation, enforcement,
ECAC has established a hierarchical
PKI which will connect accredited
TSPs together under a National Root
CA. The National Root CA acts as
the final point of trust and is audited
against the internationally recognized
CA-audit scheme called WebTrust.
This allows popular browsers and
applications like Adobe Reader to
trust the National Root CA automati-
cally. The National Root CA is the
responsibility of ECAC and used as
part of its accreditation scheme.
ECAC will use the National Root
CA to issue digital certificates to
those TSPs which have successfully
been accredited in both the govern-
ment and commercial sectors. The
TSPs are then responsible for issuing
certificates to the actual end-users for
specific purposes e.g., signing of doc-
uments, signing of software code,
server authentication, etc. Anyone
with access to the Pakistan National
Root CA certificate will be able to
verify the certificate of any end-user
in the system and thereby be able to
trust their digital identity and signa-
tures. The ETO will ensure that digi-
Business Recorder, Karachi
Tuesday, February 23, 2021 4
creation and management of PKI
(Public Key Infrastructure) today.
Establishment of National
Root CA
PRIVILEGE TO APPRO-
PRIATE AUTHORITIES
For National Authorities and
Regulators, accreditation underpin
conformity for Ease of Doing
Business which means businesses
shall spend less time tied up with
bureaucracy formalities. The paper-
based concept of identification, decla-
ration and proof are carried through
the use of digital signatures in an elec-
tronic environment. Digital signatures
and cryptography services involved
in e-transactions need accreditation
for ensuring their integrity.
TRUST AND SECURITY
Within a digital economy the ele-
ments of Trust & Security forms the
foundation on top of which digital
systems, services and businesses
must be built. As Pakistan embarks
on its journey toward becoming a
truly digital economy, establishment
of Regulatory frameworks for ensur-
ing data protection, establishing trust,
and maintaining security of all digital
transactions, documents and infor-
mation systems are thus essential.
I, on behalf of the Council,
expect that the role and the
exclusive mandate granted to
ECAC will be respected by all
stakeholders. By addressing the
increasing concern about the pri-
vacy and security of the individ-
uals as well as organizations,
ECAC endeavors for keeping the
nation abreast with the ever-
changing trends of E-commerce
while protecting the interest of all
related stakeholders.
tal signatures backed by Accredited
TSPs and ultimately by the National
Root CA are automatically recog-
nized as equivalent to hand-written
signature and presumed trusted by
default!
As part of National
Telecommunication Corporation
(NTC) mandate to facilitate Federal
Government, Provincial
Governments, and all other State-run
establishments, NTC hosts and oper-
ates the Pakistan National PKI sys-
tems for Electronic Certification
Accreditation Council (ECAC).
Importantly, NTC is also the first offi-
cial Accredited TSP for the
Government of Pakistan and will issue
certificates to government sector users.
Other government entities, banks, tel-
cos, and commercial enterprises will
also become accredited TSPs for
enabling high trust in their business
applications and market sectors where
needed.
Ascertia is a world leader in PKI
solutions and is providing a com-
plete turnkey implementation for the
Pakistan National PKI.
Ad
27x4