Whether CCA issue Digital Signature Certificates to end-entities?
The Office of Controller of Certifying Authorities (CCA), issues Certificate only to Certifying Authorities(CAs). CAs issue Digital Signature Certificates to end-entities.
How do I get a Digital Signature Certificate (DSC)?One can approach any one of the Licensed CAs for getting a Digital Signature Certificate. The list of Licensed CAs is available at http://www.cca.gov.in/licensed_ca.html. The different categories of certificates offered by different CAs are listed at http://www.cca.gov.in/CAServicesOverview.html. The contact address of each CA and their help desk numbers are available in the disclosure record of each CA published at http://www.cca.gov.in/licensed_ca.html.
What are the identity verification options available to a DSC applicant?
The identity verification options available to a DSC applicant are:-
Which are the CAs issuing Class 2 and Class 3 DSCs to public at present? Please provide their contact details?
|Certifying Authorities||Website||Contact Details|
|saj.francis[at]sifycorp.com, +91 90032 77877,+91 80675 99006|
|Jaishankar.v[at]emudhra.com, +91 80 422 753 00, +91-9448809899|
|sales[at]Certificate.Digital, +91 95603 42507, +91 11 614 000 00|
|huzefa.thanawala[at]verasys.in, +91 98193 15990|
|Kunal[at]ncode.in, +91 99989 89896|
Why self attested documents are not accepted by CAs for DSC issuance?
Wherever self attestation has been facilitated as a part of submitting an Application for service, the original documents are required to be produced at the point of getting the service. In the case of Digital Signature Certificate (DSC) Applicants, they can directly approach Certifying Authorities (CA) at the CA premises with original supporting documents, in which case self-attestation of copies will be sufficient.
How does one know about the different classes of certificates offered by the Licensed CAs?.
The services offered by CAs are available on the website of each CA. The summary of service offered by CAs are available at http://www.cca.gov.in/cca/?q=CAServicesOverview.html..
Where can I find the Identity Verification and key storage requirements for different type and Class of Certificates?
The verification requirements are mentioned in the Identity Verification Guidelines (CCA-IVG) and Key generation and storage requirements are mentioned in Section 6.1.1 of X.509 Certificate Policy for India PKI (CCA-CP). Both documents are available at cca.gov.in
- Paper based application form and supporting documents(all attested)
- Aadhaar eKYC based verification for Aadhaar holder(no supporting documents are required)(no attestation)
- Banking KYC or eKYC. Banking eKYC is dependent on CAs tie-up with banks for getting electronic KYC information of banking customers.(no attestation required)
Should individual's signature and encryption certificate be different?
Yes, The signature and encryption certificate should be separate for an individual. The encryption keys are to be generated at the subscriber's system and should be archived prior to transfer into crypto-medium. The signature keys should be generated in the crypto-medium and should not be copied.
Does one require multiple certificates for different application?
No, Ideally, there should not be any requirement for different certificates, however the person holding lower assurance Class 2 certificate may require higher assurance Class 3 certificates for application which demand the same. The higher assurance Class 3 certificates can be used where ever application requires lower assurance certificate. Apart from assurance, depending on the information included in the DSC (For example PAN Number may be required by application) additional certificate may be required.
Whether a person is allowed to take multiple certificates from different CAs?
What are the different classes of Digital Signature Certificates?
- Class 1 : The verification requirements are (i) Aadhaar eKYC Biometric or (ii) paper based application form and supporting documents or (iii) Aadhaar eKYC OTP + Video Verification . The Private Key generation and storage can be in software.
- Class 2 : The verification requirements are (i) Aadhaar eKYC Biometric or (ii) Paper based application form and supporting documents or (iii) Aadhaar eKYC OTP + Video Verification . The Private Key generation and storage should be in Hardware cryptographic device validated to , FIPS 140-2 level 2.
- Class 3 : The verification requirements are (i) Aadhaar eKYC Biometric or (ii) Paper based application form and supporting documents and (physical personal appearance before CA or Video verification) or (iii) Aadhaar eKYC OTP + Video Verification . The Private Key generation and storage should be in Hard ware cryptographic device validated to FIPS 140-2 level 2
- Aadhaar e-KYC-OTP: The verification requirement is Aadhaar eKYC OTP.
- Aadhaar e-KYC-Biometric: The verification requirement is Aadhaar eKYC Biometric.
- For more details please refer to section 1.3.5 of X.509 Certificate Policy for India PKI(CCA-CP)
Whether the same class and/or type of certificates issued by one CA can be different from that issued by another CA?
No. The same class and/or type of certificates issued by all CAs have the same level of assurance and trust.India PKI follows a Hierarchical PKI model where Root CA certifies CA and CA in turn certifies the subscriber. The India PKI Certificate Policy is applicable to the entire eco-system of CA certificate, subscriber's certificates and key storage medium. The method of verification prior to issuance of same assurance level certificate is as per the IVG. Similarly, the content format and storage medium for all certificates issued by all Licensed CAs are as per Interoperability Guidelines for DSC and X.509 Certificate Policy for India PKI. There is no difference in the certificates of same class and type issued by different CAs. The price of the certificate may however vary from CA to CA.
Whether all CAs have to mandatorily issue all classes of certificates?
No. CAs can opt out of issuance of any class(es) of certificates at their discretion. CAs are not allowed to issue any classes of certificates to other than that specified in the India PKI CP and specifically allowed by CCA.
- For more details please refer to section 1.3.5 of X.509 Certificate Policy for India PKI(CCA-CP)
If a person is transferred from one post to another (say in govt. department), the digital signature will also change (yes/no)? Please explain?
Yes. On moving from one department to another, if the procedure in place so demands then the existing Digital Signature Certificate will be revoked and a new one will be required to be issued.
Why is it important that custody of Hardware Cryptographic Device containing the signature creation data should only be with subscriber?
After the issuance of DSC to subscriber by CA, any signature created using the device and verifiable through this DSC is deemed as subscriber’s signature.
Whether Class 3 individual Digital Signature Certificates can be used where class 2 individual Digital Signature Certificates is a requirement?
Can a person have two Digital Signature Certificates - say one for official use and other one for personal use?
Whether Digital Signature certificate & signing keys of an employee can be retained by organisation upon the subscribers exiting the organisation?
No. The Digital Signature Certificate should be revoked and keys should be destroyed by the subscriber.
Whether Document Signer Certificate can be treated as organisational certificate?
The document signer certificate is issued for use with the software of an organisation for automated authenticated response. Document signer certificate is not a replacement for the signature of the authorised signatory of the organisation.
Digital Signatures are available in different Classes where as individual's ink signature is unique? How an organisation decides the appropriate signature for their application?
Organisation has to see assurance levels of DSC as indicated by its class. If organization is not competent to decide the Class of the DSC required for their application, a Risk Analysis may be carried out through empanelled auditors of Cert-IN or CCA and a recommendation may be obtained.
Whether users of an organisation can store their signature creation key of Class 2 and Class 3 DSCs in HSM?
No. The keys corresponding to Class 2 and Class 3 certificates are to be mandatorily stored in FIPS 140-2 level 2 validated crypto Token which is in the custody of the subscriber. The requirements for the storage of key pairs of subscribers are not in full compliance when using HSM for Class 2 and Class 3 certificates. However only a single user can store his/her keys in HSM.
Whether CAs will have information on the signature carried out by subscribers?
CAs will not have any information on the signatures applied by the subscribers after the issuance of DSC. The application owners or subscribers themselves can keep records of the signature affixed by them.
Whether Aadhaar eKYC based authentication can be treated as signature of individual?
Aadhaar eKYC based authentication provides the electronic identity of an individual at a particular point of time. It cannot be used at later point of time to authenticate documents or transactions, whereas the Digital Signature provides the electronic authentication of individual and bind it to the documents or transactions being signed. The intention of signatory for a particular transaction or document can be conveyed in a verifiable form at any point of time in the future only by using electronic signature. Such Digital signature applied by individuals can be verified independently using software. As per IT Act, the electronic records need to be authenticated by using Electronic Signature.
Whether my signature will be valid after the expiry of certificate?
Signatures are to be verified with respect to signature affixing time. If the certificate is valid at the time of signature, the signature is deemed to be valid.
Is there a "Specimen Digital Signature" like paper signature?
No. The Digital signature changes with content of the message.
Whether it is possible to sign an electronic record without the knowledge of a signer?
It depends upon the how the subscriber has kept his private keys. If private key is not stored securely, then it can be misused to sign an electronic record without the knowledge of the owner of the private key.
In paper world, date and the place where the paper has been signed is recorded and court proceedings are followed on that basis. What mechanism is being followed for dispute settlements in the case of digital signatures?
Under the IT Act, 2000 Digital Signatures are at par with hand written signatures. Therefore, similar court proceedings will be followed. The requirements of recording of date and time can be addressed through Time Stamping.
What are the signature types allowed as per the existing standards?
- RSA Signature Algorithms with SHA2 Hashing Algorithms
- ECDSA Signature Algorithms with SHA2 Hashing Algorithms and NIST Curve p-256. (For details ref Digital Signature (End entity rules) 2015 and also Interoperability Guidelines for DSC (CCA-IOG))
Where can I find the verification method to be followed in the rules and Guidelines?
The procedure for verification of signature is specified in Digital Signature (End entity rules) 2015 and also in Annexure IV – Application Developer Guidelines of Interoperability Guidelines for DSC (CCA-IOG).
For verification of Digital Signature of any individual, whether I need the certificates of the signer and the issuing CA?
Yes. Signer's certificate and the complete issuer chain of certificates up to the Root certificate are required. The chain may either be part of Digital Signature or be made available to the verifier by the application service provider. Microsoft products carry Root Certificate of India. If not present locally in the verification system, it can be downloaded from http://cca.gov.in. In the case of application based verification, applications need to make available the Root Certificate to the verification component.
How can a digitally signed document be verified after the DSC associated with the Public Key has expired?
The digital signature verification process for a document requires the signer’s public key, issuer certificates and their CRLs. CA will make available the issuer certificates and CRLs till the expiry of DSCs. For the requirements of verification beyond expiry of DSCs, the application should therefore have a provision to locally store DSCs issuer certificate and their CRL’s at the time when the document was digitally signed.To enable the verification of documents long time after the affixing of signature, it is recommended to use long term archival signature format for the signature.
How should an organisation selects appropriate signature profiles to meet require short term and long-term preservation requirements?
For short-term verification purpose, CMS or PKCS7 Signature Profiles can be used. However if the signatures are required to be verified after a long period , it is recommended to use long term signature formatsController of Certifying Authorities, Ministry of Electronics and Information Technology, Delhi (XADES, CADES or PADES) as mentioned in the End Entity Signature Rules.(Ref Rules GSR 660(E), dated 25 Aug 2015)
What are the requirements for long term verification of signatures?
For long term verification of signature, the signature formats specified for long term archival should be used. Timestamping used in this process establishes that the signature was created at a given moment in time.
In the case of long term archival signature formats, CA CRL can be part of signature. CRLs of CAs are large in size and including it in each signature consumes space. What are the alternate arrangements?
Storage of Online Certificate Status Protocol (OCSP) response received at the time of Signature creation can be an alternate option.
What is the function of the Root certificate?
The RCAI Root certificate is at the root of trust for all signatures created under IT Act. It is used to verify the public key certificates of the Licensed CAs in India. The RCAI root certificate is a self-signed certificate.
Where do I get CCAs Root Certificate?
CCAs Root Certificate can be downloaded from CCAs web site cca.gov.in.
How do I verify the genuineness of the Root Certificates downloaded from the CCA site?
An out-of-band verification mechanism has been provided to get the thumbprint of the Root Certificate(s). An email sent to verifyroot [at] cca.gov.in will get thumbprint of the Root Certificate returned automatically.
How do I get CRLs issued by Root CA?
The CRLs are published on the website, cca.gov.in.
What will happen if CCA’s website is down or not accessible?
One can send a mail to verifyroot AT cca.gov.in to get the latest CRLs of CAs
What is the objective and scope of DSC Interoperability Guidelines issued by CCA?
The objective of DSC Interoperability Guidelines is to achieve interoperability across DSCs issued by different CAs. These Guidelines also include profiles of other special purpose certificates including Time stamping, OCSP responder, SSL Server, SSL Client, Encryption and Code signing. The scope of these Guidelines includes all certificates issued under India PKI hierarchy.
What is India PKI CP?
The India PKI is a hierarchical PKI with the trust chain starting from the Root Certifying Authority of India (RCAI). Below RCAI there are Certifying Authorities (CAs) licensed by CCA to issue Digital Signature Certificates. CAs can be private sector companies, Government departments, public sector companies. This Certificate Policy (CP) applies to RCAI and Licensed CAs. The policy identifiers (OIDs) listed in the CP are included in the certificates, and are based on identity verification method followed prior to issuance of DSC. This policy identifier represents the assurance level of that particular DSC issued by a Licenced CA.
Why Identity Verification of individual is common to all CAs?
The assurance level of DSC issued to subscribers is based on identity verification and is uniform across all CAs under the India PKI hierarchy. Uniformity in assurance level is important component for ensuring interoperability.
What is the role of RA (Registration Authority) in the DSC issuance process?
RA interacts with the DSC applicants for collection of documents and help them for submission of DSC application and in some cases for obtaining and using hardware Crypto device. CAs are responsible for verification and issuance of DSC to applicant. In the case of Aadhaar eKYC based identity verification CA may use RA service for facilitating the same. The responsibilities of an organisational RA are different from these of an RA which deals with individuals claiming no organisational affiliation.
What happens if a CA goes out of business? What happens to earlier transactions? Does this not create a legal and financial problem?
Prior to cessation of operations the CA has to follow procedures as laid down under the IT Act. The CA needs to revoke all the valid certificates prior to its closure. The subscriber has to get a new Digital Signature Certificate from other Licensed CA. Signature carried out by subscriber prior to the revocation of his certificate will remain valid. The signatures are validated with respect to validity of certificate at the time of affixing of signature.
Can CA have sub-CA? Can there be a concept of root CA, CA and sub CA?
CAs are allowed to create a Sub-CA under the CA certified by Controller. However these Sub-CAs are only technical arrangements within the same CA infrastructure for management purpose. Sub-CAs are not independent legal entities.
In what format the public key should be given by the DSC applicant to a CA for certification?
In PKCS #10 format
Whether it is mandatory for CAs to keep the DSC application form for 7 years after expiry of DSC?
What types of measures are being executed by CCA for licensing a CA?
Detailed information (financial, technical and procedural) is obtained from the CA as part of the application for licence. These are examined and audited for compliance to IT Act, Rules, Regulations & guidelines. On successful audit, Licence is granted. CCA also certifies the public key of the Licenced CA.
Where can I find the steps for becoming a CA?Overview of the licensing process can be seen in “CA Licensing Guidelines” published on cca.gov.in
How often is auditing done? (Auditing Cycle Period)? Whether it is a continuous process?
Yes, External audits are held annually and internal audits are held every six months according to the Rules under the IT Act 2000. The CA shall get its operations audited annually by an auditor and such audit shall include security policy and planning, physical security, technology evaluation, CA's services administration, compliance to CPS, contracts/agreements, regulation prescribed by CCA, policy requirement of CA Rules. The CA shall conduct half yearly internal audit of security policy, physical security and planning of its operation and yearly audit by one of the empanelled auditors by CCA.
What is CPS?
CPS (Certification Practice Statement): A statement of the practices, which a Certifying Authority employs in issuing and managing certificates. A CPS is a declaration by the CA of the details of its trustworthy system and the practices it employs in its operations in support of issuance of a certificate as per the provisions of the IT Act and as mentioned in the India PKI CP. General CPS framework is given in the CA Licensing Guidelines.
Does CCA enforce Disaster Recovery Centre for CAs?
Yes, it is a mandatory requirement under IT Act so that the CRLs can be made available by CAs.
What is the legal sanctity of a Digital Signature Certificate issued by CA of a foreign country in India?
Such a DSC will be legally valid in India only if it has been issued by a Foreign CA recognized by the CCA
What is the procedure for Cross certification by an external CA?
The application/ request for cross certification by Root CA with a foreign CA shall be as per Rule 12 of IT(CA) Rules
Whether any external agency can provide eSign service?
As of now, only CAs are allowed to operate as eSign Service Providers. However an external agency can become ASP of ESP.
Whether ASP is allowed to sublet the service to any other application owner?
No. ASP can avail service from ESP for integrating eSign service only for applications owned or operated by them. The functions of obtaining consent from the signer and its logs should be with ASP only.
How to avail time stamping service provided by CAs?
CAs provide time stamping service to its subscribers. If an organisation is interested in avail time-stamping service, they can avail the same directly from a CA or set it up in their premises with the help of the CA.
Is it mandatory for CAs to provide Time Stamping Service?
Yes. Time Stamping Service has been mandated in the Regulations under the IT Act for being offered by Certifying Authorities (CAs).
How is the reliability of the time stamp ensured?
For reliability, CA has to obtain the time from National Physical Laboratory (NPLI) who is the official time source in the country. A timestamp on the data by Timestamping service of CA (using the time obtained from NPLI) ensures reliability.
Whether all CAs issue SSL certificates?
It is mandated that for issuance of SSL certificates, CA should have a separate offline CA system dedicated for that purpose. Only CAs who are having such a setup will be allowed to issue SSL certificates. The list of CAs issuing SSL certificates can be seen at http://cca.gov.in/CAServicesOverview.html.
What are the auditing requirements for CA issuing SSL certificates?
CA should have independent Offline CA systems for issuance of SSL certificates. Apart from the auditing requirements under the Information Technology ACT, additional auditing requirements are specified in line with CA Browser Forum Auditing requirements. These are audited by the auditors empanelled by CCA.
What are the key escrow arrangements for encryption keys of subscriber?
The encryption key should be kept by subscriber. The subscriber should also make arrangements for securely keeping a backup copy of encryption key.
Whether encryption certificate & keys can be retained by organisation upon the subscriber leaving the organisation?
The encryption certificate should be revoked. However the organisation should retain the encryption keys and associated certificate in order to decrypt the information which had been encrypted when the encryption certificate was valid.
Whether DSCs are issued to Foreign Nationals?
Yes, The procedure to be followed by CAs in respect of verification of Foreign Nationals is available in the section 3 of Identity Verification Guidelines (CCA-IVG)
In the case of disputes who can obtain my DSC application form from CA?
CAs are liable to keep DSC issuance related information for a period of 7 years after expiry of DSC. CAs are required to disclose subscriber information only under the law or a court order. If confidential subscriber information is to be taken out of the country, then permission of Controller of Certifying Authorities is also required.