Вы находитесь на странице: 1из 25

Information Technology Act

2000
Digital Signature
Subscriber may authenticate an electronic
record by affixing his digital signature
Any person by the use of public key can verify
the electronic record
Private key and public key are unique to
subscriber and constitute a key pair
Electronic Governance

Accorded legal recognition to Digital signatures
Digital signatures treated at par with handwritten
signatures
Use of electronic records and digital signature in
government and its agencies
Retention of electronic records as per law
Publication of rule, regulation etc in electronic
gazette
Central government may make rules regarding
digital signature format
Certifying Authority
An organization which issues public key certificates.
Must be widely known and trusted
Shall display its license
Shall disclose its public key, CPS, CRL
Must have well defined methods of assuring the identity of
the parties to whom it issues certificates.
Must confirm the attribution of a public key to an identified
physical person by means of a public key certificate.
Always maintains online access to the public key certificates
issued.

Public-Key Certification
User
Name

Users
Public
Key

CAs
Name

Validation
period

Signature
of CA
User 1 certificate

User 2 certificate
.
Signed
by using
CAs
private
key
User
Name &
other
credentials
Users
Public
key
User Certificate
Certificate
Database
Publish
Certificate
Request
Contents of a Public Key Certificate
Issued by a CA as a data message and always available
online
S.No of the Certificate
Applicants name, Place and Date of Birth, Company Name
Applicants legal domicile and virtual domicile
Validity period of the certificate and the signature
CAs name, legal domicile and virtual domicile
Users public key
Information indicating how the recipient of a digitally signed
document can verify the senders public key
CAs digital signature
Certificate Revocation List

A list of all known Certificates that have been
revoked and declared invalid

controller of Certifying Authority
Controller of Certifying Authorities as the
Root Authority certifies the technologies
and practices of all the Certifying
Authorities licensed to issue Digital
Signature Certificates
Controller of Certifying
Authorities
..contd
The CCA operates the following :-
Root Certifying Authority (RCAI) under
section 18(b) of the IT Act, and
National Repository of Digital Signature
Certificates (NRDC)
Web site cca.gov.in

CCAs role
Licensing Certifying Authorities (CAs) under section 21 of the IT
Act and exercising supervision over their activities.
Controller of Certifying Authorities as the Root Authority
certifies the technologies and practices of all the Certifying
Authorities licensed to issue Digital Signature Certificates
Certifying the public keys of the CAs, as Public Key Certificates
(PKCs).
Laying down the standards to be maintained by the Cas
Recognition of foreign certifying authority
Addressing the issues related to the licensing process including:
Approving the Certification Practice Statement(CPS);
Auditing the physical and technical infrastructure of the applicants
through a panel of auditors maintained by the CCA.

CCAs role cond..
License to issue digital signature certificate
Renewal, rejection, suspension and revocation
of license
Delegation of power to deputy controller,
assistant controller etc.
Digital signature certificate
Subscriber may apply to certificate authority
for digital signature certificate
Certificate may be suspended by certifying
authority
Certificate may be revoked by certifying
authority


Duties of subscriber
Generating key pair
Acceptance of digital signature certificate
Control of private key
Loss or compromise of key must be
communicated to certifying authority
Penalties and adjudication
Penalty for damage to computer, computer
system, network, virus, denial of service etc.
Penalty for failure to furnish information etc.
Residual penalty
Appointment of adjudicating officer to look
into the matter
Offences
Tampering with computer source documents
Hacking with computer system
Publishing of information which is obscene in
electronic form
Fails to comply with the order of controller
Fails to comply direction of controller to a
subscriber to extend facilities to decrypt
information
Offences contd.
Suppressing any fact from controller or
certifying authority
Penalty for publishing digital signature
certificate false in certain particular
Offence committed outside india to system in
india
Audit Process
Adequacy of security policies and their implementation;
Existence of adequate physical security;
Evaluation of functionalities in technology as it supports
CA operations;
Compliance to the adopted Certification Practice
Statement (CPS);
Adequacy of contracts/agreements for all outsourced CA
operations;
Adherence to Information Technology Act 2000, the Rules,
Regulations and Guidelines issued by the Controller from
time-to-time.
End entities, subscribers and relying
parties
The End entities of RCAI are the Licensed CAs in
India.
Subscribers and relying parties using the
certificates issued by a CA need to be assured that
the CA is licensed by the CCA.
They should be able to verify the licence under
which a PKC has been issued by a CA.
Strong Room for RCAI
Reinforced walls for room housing RCAI
24-hour surveillance through CCTV
Access controls through proximity cards and
biometric readers
Physical security including locks
Security personnel
National Repository : NRDC

National Repository of
Digital Certificates
Certificate Revocation List
Internet
Directory
Client
CA
CA
CA
LAN
Cert/CRL
Cert/CRL
Cert/CRL
RCAI
CCA
NRDC
Relying
Party
Subscriber Subscriber Subscriber
CA Public Keys
Certified by
RCAI
CAs Revoked
Keys
CCA : National Repository of Certificates of Public
Keys of CAs and Certificates issued by CAs
CCA
TCSCA NICCA Safescrypt
India PKI
IDRBTCA
iCert
(CBEC)
(n)Code
MTNLTrustline
PKI enabled Applications
eProcurement
IFFCO
DGS&D
ONGC
GAIL
Air-India
Railways
Others
MCA21
Income Tax e-filing
IRCTC
DGFT
RBI Applications (SFMS)

Challenges ahead
Interoperability
Uniformity in certificate contents
Validation methods - Certificate Revocation
Lists,..
International alliances
End User Adoption
Application interoperability.
Digital Signature Certificate interoperability.
Trusted Verification Authority.
Storage medium

Challenges ahead ..contd

Awareness
Understanding of digital signature concepts
Knowledge about legal rights, duties and liability of
owning digital certificate

Вам также может понравиться