Indian Regulations regarding Recognition of Foreign

Download Report

Transcript Indian Regulations regarding Recognition of Foreign

Indian Regulations regarding Recognition of Foreign Certifying
Authorities : Facilitating Cross-Border Trade and Investments
using Digital Signatures
Website : cca.gov.in
E-mail: [email protected];
AFACT Members and India
AFACT members are already having strong economic linkages with India , eg ,
India - ASEAN trade : $79.3 billion (2011-12) , target of $100 billon by 2015 and
$200 billion by 2022.

India - China trade : $ 67 billion (2011-12) , target of $ 100 billion by 2015

India - Iran Trade : $ 13.4 billion (2009-10) , India is also involved in projects like
development of Chabahar Port , International North-South Corridor.

India – Japan Trade : $18.43 billion (2011-12),Comprehensive Economic
Partnership Agreement signed.

India – Republic of Korea : $ 20.5 billion (2010-11) , target of $ 40 billion by 2015.
Comprehensive Economic Partnership Agreement in force.

Cross-border trade could be further facilitated by use of Digital Signatures

Why Digital Signatures?
For using Internet as a safe and secure medium
for e-Commerce and e-Governance
Most countries have already given Legal Validity
to Documents signed digitally.
Electronic documents are convenient for
copying,transmission,storage.
Reduces dependence paper based documents ,
hence environment friendly.
Digital Signatures provide
Authenticity(assurance of the genuineness of the
source/signer), Integrity(assurance that
document hasn't been changed after signing)
and Non-repudiation(the signer cannot later
deny signing the document ) to electronic
documents.
Digital Signature Usage in AFACT member
countries
Many of the AFACT members like Japan, S.Korea, India, Chinese Taipei,
Malaysia, Singapore have already implemented Electronic Signature Act/IT Act
modelled on UNCITRAL's Model Law and have provided legal validity to
documents signed digitally at par with paper signature.
The use of Digital Signatures is already widespread in many AFACT members
and is increasing further due to presence of strong, secure and robust PKI
environments
Current Scenario : Public Key
Infrastructure (PKI)
Digitally signed documents are signed using a Private Key and verified using
corresponding Public Key.

Some Trusted Agency is required which certifies the association of an individual with the
key pair.

Such trusted agencies are called “Certifying Authorities”(CA).Most countries issue
licenses to agencies which operate as CAs.

Documents signed using Digital Signature Certificate issued by such recognized
Certifying Authorities are legally equivalent to documents signed manually in
most
countries.

However, a CA which is legally recognized in country “X” may not be legally recognized
in country “Y”

Limiting Recognition of Certifying
Authorities creates few inconveniences
Mr “Good-Trader” in a country “Utopia” has a Digital Signature
Certificate issued by “SecureCA”, a recognized Certifying
Authority in “Utopia” and wants to sign a document and send
it to Mr “Good-Customer” in another country “Heaven”.
However, “SecureCA” is not a recognized Certifying Authority
in “Heaven” and hence the digitally signed document lacks
legal validity in “Heaven” . To increase Mr. Good-Trader's
problems , no recognized Certifying Authority of “Heaven” is
having local presence in “Utopia”
A possible Solution
The two countries “Utopia” and “Heaven” can
have an arrangement through which recognized
,licensed Certifying Authorities in both the
countries are mutually recognized and Digital
Signatures Certificates issued by them are
accepted
Recognition of Foreign CAs : Indian Law
As per Section 19 (1) of the Information Technology Act , 2000 subject to conditions and restrictions as
specified by regulations in this regard, the Controller may with the previous approval of the Central
Government, and by notification in the Official Gazette, recognise any foreign Certifying Authority.

Section 89 of the Information Technology Act , 2000 requires consultation with the Cyber Regulations
Advisory Committee and previous approval of the Central Government for framing Regulations for recognition
of Foreign CAs.

The Controller of Certifying Authorities ,following the procedure given in the IT Act , has issued Notification
containing Regulations regarding Recognition of Foreign CAs.

The Notification can be accessed on CCA's website:

http://cca.gov.in/cca/sites/all/Recognition_of_foreignCA.PDF
Recognition of Foreign CAs : Indian Law
The Notification contains two sets of Regulations
One for recognized Foreign Certifying Authorities operating under a
PKI Regulatory Authority comparable to that in India.

Other set of Regulations for those Foreign Certifying Authorities
which are not operating under a PKI Regulatory Authority.

For Foreign Certifying Authorities operating under
a Regulatory Authority
Digital Signature Certificates issued by a Foreign Certifying Authority ,which has been authorized by legally
recognized Regulatory Authority of its country , will be recognized in India, if the Controller of Certifying
Authorities enters into a memorandum of understanding with the recognized Foreign Regulatory Authority.

Before entering into a Memorandum of Understanding , the Controller will ensure that the laws of the country under
which such regulatory authority is established , require a level of reliability at least equivalent to that required for
issuance of a Digital Signature Certificate under the IT Act of India ,2000

The following are some of the factors , to be used for determining the level of reliability:
(a)Financial and human resources, including existence of assets within the country;
(b)Trustworthiness of hardware and software systems;
(c)Procedures for processing of certificates and applications for certificates and retention of records;
(d)Availability of information to subscribers identified in certificates and to potential relying parties;
(e)Regularity and extent of Audit by an independent body;
(f)Strength of Algorithms used.

We look forward to enter in MoUs with PKI Regulators from
various countries for mutual recognition of Certifying
Authorities.
The details of Regulations in this regard are available on the
website cca.gov.in .
Foreign Certifying Authorities not operating under any Regulatory Authority
Many countries do not have PKI Regulators like India. Certifying Authorities from such countries may also
apply for recognition.

Recognition may be granted if the Controller is satisfied about their reliability , security and fulfillment other
conditions.

Such CAs will have to apply to the CCA in the prescribed format. The Application should contain documents
like CPS,a statement including the procedures with respect to identification of the applicant,a statement for the
purpose and scope of anticipated Digital Signature Certificate technology, management, or operations to be
outsourced, certified copies of the business registration documents and licences.

Further, such CAs will have to establish a Local Office in India and submit a performance bond.

International Initiatives for Cross-Border Recognition of Digital /
Electronic Signatures
Regional Commonwealth in the field of Communications : The Trans-boundary
Trust Space CIS Member States

http://www.en.rcc.org.ru/index.php/rcc-activities/informatization-/261211
European Union : Revision of e-Signature Directive for Cross-Border Mutual
Recognition of Electronic IDs .

http://ec.europa.eu/digital-agenda/en/pillar-i-digital-single-market/action-8-revisionesignature-directive
UN/CEFACT : A Project named “Recommendation for ensuring legally significant
trusted trans-boundary electronic interaction” has been proposed , Recommendation
14.

Path Ahead
1. PKI Regulators need to work together to establish mutually acceptable
Inter-operability Guidelines, security and audit criteria. However, in case
countries whose IT Act/Electronic Signature Act is based on Model
UNCITRAL Laws have some commonalities which will help in evolving
such Guidelines.
2. MoUs for Mutual Recognition
3. Initiated with Korea through KISA, Iran through GRCA, Russia, Israel,
Nepal, China, UNESCAP SRO-SSWA etc.
4. Seeking expression of interest with other AFACT members
Thank You
Controller of Certifying Authorities(India)
Website : cca.gov.in
E-mail: [email protected]