Sign language comes of age

Vipin Kumar

WE will soon be able to sign digitally, if one is to go by what K.N. Gupta, Controller of Digital Signature Certifying Authorities (CAs), says. In an interview to eWorld, Gupta dwelt at length on the digital signature and its significance. Excerpts from the interview.

How secure is digital signature and to what extent is it legally valid in India?

The IT Act 2000 has placed digital signature on a par with paper signature. So, in a court of law, it is as valid as a paper signature. The IT Act has, however, excluded some items such as Will, Power of Attorney and Transfer of Immovable property where digital signature is not on a par with paper signature.

As far as security is concerned, the digital signature scores over a paper signature on all counts, be it authenticity, confidentiality or non-repudiation. For instance, one can deny signing a document and claim that one's signature has been forged, but such issues don't arise in the case of the digital signature.

How is that possible?

To use a digital signature, you need a set of two keys -- a public key and a private key -- to encrypt and decrypt. These keys are actually a pair of algorithms inverse to each other. If you encrypt a message using your public key, it can be undone only by the private key of the receiver of that message, for whom it is intended. While your public key is known to others, your private key is confidential.

Let's see how it works. I send a message to you via the Net by encrypting it with your public key. Even if someone is able to intercept this message, he cannot decipher it since it can be read only with your private key.

What is the role of CAs in this process?

The CA will issue the digital signature to you. The CA will certify that the holder of a particular signature is indeed the genuine owner of it. These CAs will be regulated by the Controller.

It's been almost a year since your post was created. Why has this delay occurred in appointing CAs?

This delay is quite natural, considering that even in countries such as Singapore, it took about two years. Many ministries, such as IT and Law, are involved in the process. But now we are ready to accept formal applications. In another month's time, I will be issuing the regulations to CAs.

When you invited applications initially in March, what was the response?

There were about 200 applications at that time and I think at least 10 among them should be serious players. I had invited the applications in March, thinking we could issue a provisional regulation, subject to the approval of the Law Ministry. But then that is not allowed. Some of those who initially responded are TCS, MTNL, the RBI, the Department of Post, NSDL and VSNL.

What kind of investments are required for a CA? How viable is this going to be?

To become a CA, one will have to invest Rs 5-6 crore in the infrastructure, a major part of which will go towards the hardware and security software. I feel that in order to be viable, a CA will have to issue about one lakh certificates annually, since the annual fee from the users for the digital signature may be some Rs 1,000 or so. The CAs are, however, free to decide the fee on the basis of the market conditions.

What are going to be your regulations for the CAs?

Firstly, the CAs should adhere to common standards

in technology implementation for issuing digital signatures because we need to ensure interoperability between them.

They will also have to have a ``time stamping'' facility so that the exact time of a transaction can be ascertained. This could be useful in the event of a dispute.

The CAs should also take care of the security angle and maintain a track record of 10 years of such employees, as to where they worked in the past, etc. They are also not supposed to

divulge information regarding their subscribers so that their privacy is maintained. These are some of the regulations.

When do you think the first CA in the country would be in place?

I believe one or two are already ready with their infrastructure and the first CA will be in place in this calendar year itself. We have created a panel of 16 auditors including KPMG, Arthur Andersen and PricewaterhouseCoopers (PwC) to assess the infrastructure. I would be very happy if we have 4-5 CAs, to begin with, in the country.

Pic.: Mr K. N. Gupta.

Please e-mail us at bleditor@thehindu.co.in if you have queries on computer usage or if you find an interesting way of using the computer.