Most Indians are reluctant to pay for digital signatures. With government mandates, things may look up for certifying authorities.
It has been 10 years since the use of digital signatures was made legal by the IT Act 2000. However, there are only slightly over 1 million digital certificates issued by all the eight licensed certifying authorities (CAs) till date. Of these, around 40-50 per cent would have expired since a digital certificate typically has a life-span of two years, after which it needs to be renewed.
The potential for digital signatures is huge in services like e-procurement, filing of returns, filing of export-import licenses, online banking, financial transactions and digitisation of land records. Moreover, they can assist in reducing the carbon footprint by creating a paperless office.
Cost, however, is the primary reason for the lack of numbers. Consider this. There are eight CAs, which include government players like the National Informatics Centre, IDRBT (instituted by the Reserve Bank of India in 2003 — for banking), iCERT (Customs and Central Excise) and MTNL. The private players comprise Tata Consultancy Services (TCS), Safescrypt (from Sify), (n) Code Solutions (from GNFC), and e-mudhra (from 3i Infotech).
TCS claims to be the largest certifying authority in India, It has over 100 partners and says it has issued over 600,000 digital certificates in India.
Under MCA21, every person who is required to sign manual documents and returns filed with the registrar of companies (ROC) is required to obtain a Digital Signature Certificate (DSC). There are three types of DSCs with different security levels. For filing documents under MCA21, a Class-2 DSC issued by a Licensed Registration Authority is required.
However, CAs do not sell the certificates directly. Instead they have distributors or partners. However, while digital signatures are estimated to cost CAs Rs 175-225, individuals typically end up paying anyway between Rs 1,500 and Rs 3,000 — and sometimes even up to Rs 7,000 for the high-level Class-3 security certificates. The prices include a one-time payment for a crypto (USB) e-token, which contains the software.
Much depends on the bundling schemes and packages offered by the distributors, say the CAs. “We Indians are not used to paying for our own signature. If the cost is reduced, it will surely help in the growth of this segment,” explains Murali Venkatesan, Product Specialist, Sify Technologies. “The intermediaries make a huge margin while CAs get a marginal profit. But it’s also a mindset issue for most Indians,” concurs cyberlaw expert and Supreme court advocate Pavan Duggal.
A digital signature is not a facsimile of a person’s physical signature. However, the person who signs the document cannot later disown it by claiming that the signature was forged.
On an average, CAs have invested around Rs 15 crore to create an infrastructure for digital certificates. For instance, the National Informatics Centre established the Certifying Authority (NICCA) at its headquarters in May 2003. It comprises a state-of-the-art secure infrastructure, complete with biometric sensors and surveillance system. Sify, according to Venkatesan, has a Tier-VII level security which includes a steel door for rooms. “Gaining physical access to our infrastructure where we store the digital certificates is virtually impossible. Of course, nothing is foolproof. But the security is very tight and all our employees have undergone background checks to verify their integrity,” says Venkatesan. He, however, adds, that given the “poor response” to digital signatures, his company is yet to get a return on investment (ROI).
The scenario, however, is changing with some help from the government, too. On July 12 this year, the Central Board of Direct Taxes (CBDT) ruled that digital signatures will now be mandatory for all electronically-filed income-tax returns of companies. Earlier, companies were allowed to file their electronic returns with or without digital signatures. “In fact, most of the digital signature certificates were sold in the last two years. Going forward, we expect the numbers to increase with around 400,000-600,000 certificates being sold annually by all CAs,” says Venkatesan.
CAs also say the Indian government could follow the examples of China, Korea, Brazil, Australia (Gatekeeper project) and the European community — where government intervention has helped in the proliferation of digital signature certificates — and push the cause of e-signatures further.
However, there are some caveats. “The government should not be too pushy in mandating digital signatures even for individuals,” cautions Duggal, “else there could be a spate of litigations since it could violate the broader “Right to Life” guaranteed to citizens by the Indian Constitution”. The CAs nod their heads in agreement.
Key to a signature
A digital signature is issued by a Certification Authority (CA). It usually contains the owner’s name; company and address; public key; certificate serial number; expority date of the public key; certifying company ID; and certifying company digital signature. The digital signature scheme typically comprises a key generation algorithm, which selects a private key at random from a set of possible private keys.
The algorithm outputs the private key and a corresponding public key. A signing algorithm, given a message and a private key, produces a signature. A signature verifying algorithm — given a message, public key and a signature — either accepts or rejects the message’s claim to authenticity and, hopefully, increase the size of this sphere.