PKI Framework

 

Central to the growth of e-commerce and e-governance is the issue of trust in electronic environment. The future of e-commerce and e-governance depends on the trust that the transacting parties place in the security of transmission and the content of communication.

 

Creating trust in electronic environment involves assuring the transacting parties about the integrity and confidentiality of the content of documents along with authentication of the sending and receiving parties in a manner that ensures that both the parties cannot repudiate the transaction. The paper based concepts of identification, declaration and proof are carried through the use of digital signatures in electronic environment. Digital signatures, a form of electronic signatures, are created and verified using Public Key Cryptography that is based on the concept of a key pair generated by a mathematical algorithm, the public and private keys.

 

The Information Technology Act, 2000 provides the required legal sanctity to the digital signatures based on asymmetric cryptosystems. The digital signatures are now accepted at par with handwritten signatures and the electronic documents that have been digitally signed are treated at par with paper documents.

 

The IT Act provides for the Controller of Certifying Authorities(CCA) to license and regulate the working of Certifying Authorities. The Certifying Authorities (CAs) issue digital signature certificates for electronic authentication of users.

 

The CCA certifies the public keys of CAs using its own private key, which enables users in the cyberspace to verify that a given certificate is issued by a licensed CA. For this purpose it operates, the Root Certifying Authority of India(RCAI). The CCA also maintains the Repository of Digital Certificates, which contains all the certificates issued to CAs in the country.

 

CCA at the root of the trust chain in India.

Use of PKI in e-governance

As the Government of India moves toward the implementation of E-Governance at various levels of Government functioning, authentication of information becomes a critical requirement. This section provides links to some e-governance sites in India which are using Digital Signatures.

 

E-Governance Sites

  • Ministry of Corporate Affairs, Government of India
  • E-Procurement Project of Government of Andhra Pradesh
  • Indian Customs and Excise Gateway
  • Karnataka Government e-Procurement System
  • Directorate General of Supplies and Disposal
  • Directorate General of Foreign Trade

Root Certifying Authority of India (RCAI)

The CCA has established the RCAI under section 18(b) of the IT Act to digitally sign the public keys of CAs in the country. The RCAI is operated as per the standards laid down under the Act.

 

The requirements fulfilled by the RCAI include the following:

  • The licence issued to the CA is digitally signed by the CCA.
  • All public keys corresponding to the signing private keys of a CA are digitally signed by the CCA.
  • That these keys are signed by the CCA can be verified by a relying party through the CCA's website or CA's own website.

Authorized CCA personnel initiate and perform Root CA functions in accordance with the Certification Practice Statement of Root Certifying Authority of India. The term Root CA is used to refer to the total CA entity, including the software and its operations.

PKI Brochure