Indian Regulations regarding Recognition of Foreign Certifying Authorities : Facilitating Cross-Border Trade and Investments using Digital Signatures Website : cca.gov.in
AFACT Members and India AFACT members are already having strong economic linkages with India, eg, India - ASEAN trade : $79.3 billion ( ), target of $100 billon by 2015 and $200 billion by India - China trade : $ 67 billion ( ), target of $ 100 billion by 2015 India - Iran Trade : $ 13.4 billion ( ), India is also involved in projects like development of Chabahar Port, International North-South Corridor. India – Japan Trade : $18.43 billion ( ),Comprehensive Economic Partnership Agreement signed. India – Republic of Korea : $ 20.5 billion ( ), target of $ 40 billion by Comprehensive Economic Partnership Agreement in force. Cross-border trade could be further facilitated by use of Digital Signatures
Why Digital Signatures? For using Internet as a safe and secure medium for e-Commerce and e-Governance Most countries have already given Legal Validity to Documents signed digitally. Electronic documents are convenient for copying,transmission,storage. Reduces dependence paper based documents, hence environment friendly. Digital Signatures provide Authenticity(assurance of the genuineness of the source/signer), Integrity(assurance that document hasn't been changed after signing) and Non-repudiation(the signer cannot later deny signing the document ) to electronic documents.
Digital Signature Usage in AFACT member countries Many of the AFACT members like Japan, S.Korea, India, Chinese Taipei, Malaysia, Singapore have already implemented Electronic Signature Act/IT Act modelled on UNCITRAL's Model Law and have provided legal validity to documents signed digitally at par with paper signature. The use of Digital Signatures is already widespread in many AFACT members and is increasing further due to presence of strong, secure and robust PKI environments
Public Key Infrastructure in India Information Technology Act, 2000 has given legal recognition to documents signed Digitally. Controller of Certifying Authorities(CCA) acts as the Regulator and Facilitator of PKI in India Certifying Authorities are licensed by the Controller (CCA).Compliance with the Information Technology Act, 2000 and other Rules and Regulations is monitored by the CCA. Office of CCA is also Root Certifying Authority of India. Public Keys of licensed Certifying Authorities are signed by the Office of CCA. More than 6.6 Million Digital Signature Certificates have been issued till now. Broad applications include eLICENCE, ePROCUREMENT, eIPO, eIncome Tax, eBanking, e-Governance.
Current Scenario : Public Key Infrastructure (PKI) Digitally signed documents are signed using a Private Key and verified using corresponding Public Key. Some Trusted Agency is required which certifies the association of an individual with the key pair. Such trusted agencies are called “Certifying Authorities”(CA).Most countries issue licenses to agencies which operate as CAs. Documents signed using Digital Signature Certificate issued by such recognized Certifying Authorities are legally equivalent to documents signed manually inmost countries. However, a CA which is legally recognized in country “X” may not be legally recognized in country “Y”
Limiting Recognition of Certifying Authorities creates few inconveniences Mr “Good-Trader” in a country “Utopia” has a Digital Signature Certificate issued by “SecureCA”, a recognized Certifying Authority in “Utopia” and wants to sign a document and send it to Mr “Good-Customer” in another country “Heaven”. However, “SecureCA” is not a recognized Certifying Authority in “Heaven” and hence the digitally signed document lacks legal validity in “Heaven”. To increase Mr. Good-Trader's problems, no recognized Certifying Authority of “Heaven” is having local presence in “Utopia”
A possible Solution The two countries “Utopia” and “Heaven” can have an arrangement through which recognized,licensed Certifying Authorities in both the countries are mutually recognized and Digital Signatures Certificates issued by them are accepted
As per Section 19 (1) of the Information Technology Act, 2000 subject to conditions and restrictions as specified by regulations in this regard, the Controller may with the previous approval of the Central Government, and by notification in the Official Gazette, recognise any foreign Certifying Authority. Section 89 of the Information Technology Act, 2000 requires consultation with the Cyber Regulations Advisory Committee and previous approval of the Central Government for framing Regulations for recognition of Foreign CAs. The Controller of Certifying Authorities,following the procedure given in the IT Act, has issued Notification containing Regulations regarding Recognition of Foreign CAs. The Notification can be accessed on CCA's website: Recognition of Foreign CAs : Indian Law
The Notification contains two sets of Regulations One for recognized Foreign Certifying Authorities operating under a PKI Regulatory Authority comparable to that in India. Other set of Regulations for those Foreign Certifying Authorities which are not operating under a PKI Regulatory Authority. Recognition of Foreign CAs : Indian Law
For Foreign Certifying Authorities operating under a Regulatory Authority Digital Signature Certificates issued by a Foreign Certifying Authority,which has been authorized by legally recognized Regulatory Authority of its country, will be recognized in India, if the Controller of Certifying Authorities enters into a memorandum of understanding with the recognized Foreign Regulatory Authority. Before entering into a Memorandum of Understanding, the Controller will ensure that the laws of the country under which such regulatory authority is established, require a level of reliability at least equivalent to that required for issuance of a Digital Signature Certificate under the IT Act of India,2000 The following are some of the factors, to be used for determining the level of reliability: (a)Financial and human resources, including existence of assets within the country; (b)Trustworthiness of hardware and software systems; (c)Procedures for processing of certificates and applications for certificates and retention of records; (d)Availability of information to subscribers identified in certificates and to potential relying parties; (e)Regularity and extent of Audit by an independent body; (f)Strength of Algorithms used.
We look forward to enter in MoUs with PKI Regulators from various countries for mutual recognition of Certifying Authorities. The details of Regulations in this regard are available on the website cca.gov.in.
Foreign Certifying Authorities not operating under any Regulatory Authority Many countries do not have PKI Regulators like India. Certifying Authorities from such countries may also apply for recognition. Recognition may be granted if the Controller is satisfied about their reliability, security and fulfillment other conditions. Such CAs will have to apply to the CCA in the prescribed format. The Application should contain documents like CPS,a statement including the procedures with respect to identification of the applicant,a statement for the purpose and scope of anticipated Digital Signature Certificate technology, management, or operations to be outsourced, certified copies of the business registration documents and licences. Further, such CAs will have to establish a Local Office in India and submit a performance bond.
International Initiatives for Cross-Border Recognition of Digital / Electronic Signatures Regional Commonwealth in the field of Communications : The Trans-boundary Trust Space CIS Member States European Union : Revision of e-Signature Directive for Cross-Border Mutual Recognition of Electronic IDs. esignature-directive UN/CEFACT : A Project named “Recommendation for ensuring legally significant trusted trans-boundary electronic interaction” has been proposed, Recommendation 14.
Path Ahead 1.PKI Regulators need to work together to establish mutually acceptable Inter-operability Guidelines, security and audit criteria. However, in case countries whose IT Act/Electronic Signature Act is based on Model UNCITRAL Laws have some commonalities which will help in evolving such Guidelines. 2.MoUs for Mutual Recognition 3. Initiated with Korea through KISA, Iran through GRCA, Russia, Israel, Nepal, China, UNESCAP SRO-SSWA etc. 4.Seeking expression of interest with other AFACT members
Thank You Controller of Certifying Authorities(India) Website : cca.gov.in