Process of formation, recognition and authentication of digital Signature with

relevant legal provisions under IT Act, 2000.

In India, electronic and certificate-based digital signatures are regulated by the Information
Technology Act, 2000 (IT Act) and the following rules made under this Act:

 Information Technology (Certifying Authorities) Rules, 2000;

 Digital Signature (End Entity) Rules, 2015; and

 Information Technology (Use of Electronic Records and Digital Signature) Rules, 2004.

The IT Act distinguishes between electronic signatures and certificate-based digital signatures, but
both have the same status as handwritten signatures under Indian law. Digital signatures are
preferred for certain government transactions such as e-filing with the Ministry of Corporate Affairs,
and goods and service tax filings.

Valid electronic signatures must include an electronic authentication technique or procedure

specified in the Second Schedule of the IT Act. The Second Schedule currently specifies the following
e-KYC (Know Your Customer) authentication techniques and procedures:

1. Aadhaar e-KYC

2. Other e-KYC services (e.g. e-KYC using Permanent Account Number (PAN)).

Under Indian law, reliable electronic and digital signatures carry a presumption of validity compared
to other “non-recognized” electronic signatures. However, in common with other jurisdictions, Indian
law will not consider an agreement invalid solely on the grounds that it was formed with such non-
recognised electronic signatures.

For an electronic signature to be considered reliable and presumptively valid under the IT Act:

1. It must be unique to the signatory;

2. at the time of signing, the signatory must have control over the data used to generate the
electronic signature;

3. any alteration to the affixed electronic signature, or to the document to which the signature is
affixed, must be detectable;

4. there should be an audit trail of steps taken during the signing process; and

5. The signer certificates must be issued by a certifying authority (CA) recognized by the Controller
of Certifying Authorities appointed under the IT Act. A list of licensed CAs is available
at http://www.cca.gov.in/licensed_ca.html.

For e-signing processes initiated in India, Adobe applies an electronic seal using digital certificates
from eMudhra, which are recognized under the IT Act and thus carry the presumption of validity for
the completed agreement.

Judges and magistrates are familiar with the law concerning e-signatures and e-contracts, although
some local authorities insist on physical documents for keeping registers and records under statutes,
and on the use of traditional “wet signatures” for authentication.

Sec 2 (ta) of Information Technology Act 2000 had defines electronic signature as:
“Authentication of any electronic record by a subscriber by means of the electronic technique
specified in the second schedule and includes digital signature.”

The definition of electronic signature includes digital signature and other electronic techniques
which may be specified in the second schedule of the Act, thus an electronic signature means
authentication of an electronic record by a subscriber by means of electronic techniques. The
adoption of ‘electronic signature’ has made the Act technological neutral as it recognizes both the
digital signature method based on cryptography technique and electronic signature using other
technologies.[4]

Types of electronic signature

Unsecured Signature

Since Electronic Signature is more of an unsecured type of signature, there are affixations that are
marked in the end for reference. However, as stated earlier, they can be easily tampered and not
provide much of the focus on the authenticity of the Identity. Following are the types of Electronic
Signature:

1) Email Signature– Just merely typing one’s name or symbol in the end of an email or sending a
message on letterhead, they can easily be forged by anyone else.

2) Web Based Signature– In many organizations, the Company dons many hats with regards to
activities conducted in the Organizations, this may make the organization fall for Web-based
clickwrap contracts in which the acceptance is made merely by clicking a single button. Such
signatures bind the party even if they were conned fraudulently.[5]

The advancement of growing online transactions has caused variety of cyber crime to take place right
from the deceptiveness to hidden identity. It is for this reason that Digital Signature is taken as a
more stringent form of signature and to protect the identity of the sender. There are more advanced
ways to curb the menace caused in Electronic Signatures as well.

Secured Signature

This includes the signatures which are digitally secured and also which have more legal weightage.

Digital Signature

 According to section 2(1)(p) of the Information Technology Act, 2000 digital signature means
the authentication of any electronic record by a person who has subscribed for the digital
signature in accordance to the procedure mentioned under section 3 of the same act.

 Section 5 of the Information Technology Act, 2000 gives legal recognition to digital
signatures.

Usage of Digital Signature

1) Personal Use- It is at the liberty of the individual to use the signature personally without creating
the hassle to personally be at the given place.

2) Business– Professions such as Architecture, Construction and Engineering Companies require to

sign the tenders, market procurements or even biddings, Digital signature can prove to be a great
way to provide the assent.
3) Return filing for GST– GST filing and E-filing causes the individuals to compulsory opt for Digital
Signatures.

4) Filing for Income Tax– Some corporations require the business to file the tax all over India, thus
saving the light of the day.

5) For ROC E-filing– Filing with registrar of Companies and filing for various documents has caused
enough leverage for individuals to opt for Digital Signature.

Features of Digital Signature

The authenticity of the sender

The person who receives the electronic message or document is able to realise who is the sender of
the message. The digital signature makes it possible to verify the name of the person signing the
message digitally.

The integrity of the message

The receiver of the electronic message is able to determine whether he/she has received the original
document or whether the document has been altered before the receipt or not.

Non- Repudiation

The sender of the message cannot refute the contents of the electronic message and cannot deny
that he/she had never sent the message.

Authentication using Digital Signature

The authentication of the electronic record is done by creating a digital signature which is a
mathematical function of the message content. Such signatures are created and verified by
Cryptography, which is a branch of applied mathematics. It is used to secure the confidentiality and
authentication of the data by replacing it with a transformed version that can be reconverted to
reveal the original data only to someone who has the proper key.

 A key is a sequence of symbols that controls the operation of a cryptographic transformation.

 It involves two processes which are as follows.

1. Encryption: The process of transforming the plain message into a cipher text.

2. Decryption: The reversal of Cipher text into the original message.

Asymmetric Encryption

Can only be decrypted using a publicly available key known as the ‘Public Key’ provided by the
sender. The procedure has been under Section 2(1)(f) of the Information Technology Act, 2000.
Under this system, there is a pair of keys, a private key known only to the sender and a public key
known only to the receivers.

The message is encrypted by the private key of the sender, on the contrary, decryption can be done
by anyone who is having the public key. It depicts the authenticity of the sender. It is also known as
the ‘principle of irreversibility’ ie. the public key of the sender is known to many users, but they do
not have access to the private key of the sender which bars them from forging the digital signature.

Symmetric Encryption
There is only a single key known to both the sender and the receiver. Under this system, the secret
key or the private key is known to the sender and the legitimate user. This secret key is used for both
encryption and decryption of the message.

The only drawback of this symmetric encryption is that as the number of pairs of users increases, it
becomes difficult to keep track of the secret keys used.

Benefits of Digital Signature

 Authenticity.

 Non-deviability.

 Message cannot be altered in between the transmission.

Process followed for the creation of digital signature

Digital signatures are becoming very popular in the whole world. Countries that approve the use of
digital signatures have a structure that governs the acquisition and use of the digital signature. Even
so, regardless of the country that you come from, the way of acquisition is standard. Digital
signatures are created and issued by qualified individuals. For anyone to get a valid digital certificate,
they must get it from a certifying authority (CA).

The Certifying Authority (CA) is a kind of Trust Service Provider, and it is a third-party organization
that is trusted and accepted in a country. It has the power of issuing the citizens with digital
signatures. These CAs have rules and regulations that they have to keep and be governed by.

Firstly a person needs to get a Digital Signature Certificate from the Certifying Authorities. After that,
the following process is followed:

1. The original message of the sender is demarcated in order to get the message digest, with
the help of the hash function.

2. Then the private key is used to encrypt the message digest.

3. The encrypted message digest becomes the digital signature by using the signature function.

4. The digital signature is then attached to the original data

5. Two things are transmitted to the recipient:

 The Original message

 The digital signature

Rule 4 of the Information Technology(Certifying Authorities) Rules, 2000, explains the procedure of
digital signature as:

 To sign an electronic record or any other item of information, the signer first applies the hash
function in the signer’s software. A hash function is a function which is used to map data of
arbitrary size onto data of a fixed size. The values returned by a hash function are called hash
values, hash codes, digests, or simply hashes

 The hash function computes a hash result of standard length, which is unique to the
electronic record.
  The signer’s software transforms the hash result into a Digital Signature using the signer’s
private key.

 The resulting Digital Signature is unique to both electronic record and private key which is
used to create it.

 The Digital Signature is attached to its electronic record and stored or transmitted with its
electronic record.

Verification of Digital Signature

The recipient receives the original message and the digital signature. After this, there are two steps
which need to be followed:

 A new message digest is recovered from the original message by applying the hash result.

 The signer’s public key is applied to the digital signature received by the recipient and
another message digest is recovered as the outcome of it.

 If both the message digests are identical, it means that the message is not altered.

Rule 5 of the Information Technology (Certifying Authorities) Rules, 2000, explains the method of
verification of digital signature as:

The verification of a Digital Signature shall be accomplished by computing a new hash result of the
original electronic record by means of a hash function which is used to create a Digital Signature and
by using the public key and the new hash result.

Problems With Digital Signature

 It functions online. Therefore, it has to be either purchased or downloaded

 It lacks trust and authenticity

Digital Signature Certificate (DSC)

Introduction

1. A method to prove the authenticity of an electronic document.

2. It can be presented electronically to prove the identity, to access information or sign certain
documents digitally.

3. The Central Government has appointed a Controller of Certifying Authorities who grants a
license to the Certifying Authorities to issue digital signature certificates to the subscriber.

Who needs a DSC?

1. A vendor and a bidder

2. A Chartered Accountant

3. Banks

4. Director of a company

5. A Company Secretary
 6. Other Authorized Signatories

Elements of Digital Certificate

1. Owner’s public key.

2. Owners name.

3. The expiration date of Public Key.

4. Name of the issuer.

5. Serial Number of the certificate.

6. A digital signature of the user.

Types of Certificate

1. Only Sign– It could only be used for signing a document. It is widely used in signing PDF Files
for the purpose of filing Tax Returns for usage as an attachment for Ministry Of Corporate
Affairs or other government websites

2. Encrypt– It is used to encrypt a particular document. It is popularly used in tender portals to

help a company encrypt a document before uploading it.

3. Sign along with Encryption– It is used for both signing and encrypting a particular document.

Validity

The DSC is valid up to a maximum period of three years.

DSC under the Information Technology Act, 2000

 Section 35: Any person who wishes to get a Digital Signature Certificate may file an
application to the certifying authority for issuance of the Electronic Certificate along with the
submission of the required amount of fees not exceeding Rs. 25,000, including a statement
of certification practice or stating such particulars as prescribed.

 Section 36: Representations upon issuance of the DSC.

 Section 37: Suspension in public interest, not more than 15 days, unless given the
opportunity to present the case.

 Section 38: Revocation on death or request of a subscriber, dissolution of a company or a

firm.

Legal Approach and Digital Signature

 The provisions of Information Technology Act, 2000 are based on the UNCITRAL’s Model Law
on E-Commerce.

 The Model Law is based on the minimalist neutral approach ie. with the changes in
technology the law will remain neutral, as technology is dynamic in nature and comes in the
public domain with a lot of advancement with the passage of time, and it will not be feasible
for the legislators to keep on changing the laws dealing with the technology.
 According to Article 7 of the UNCITRAL model, there ought to be a signature of a person
while contracting using the electronic means, for which any technology can be used. It has to
be ensured that the sender can be identified and he has given his consent to the message.

 The same ‘technology neutrality’ approach has also been ratified by the Amendment Act,
2008 of the Information technology Act, 2000, with the insertion of Section 3A.

Documents on Which Digital Signature is not Valid (Sec. 1(4) of IT Act, 2000)

 Certain documents need a notarial process or the documents are required a physical
signature. Some documents are also required to be registered by the Registrar or sub-
registrar to be legally enforceable.
 Negotiable instrument such as promissory note or bill of exchange other than cheque.
 Trust deeds
 A Will and testamentary deposition
 Real estate contract (lease/ sales agreement).