Digital Signature Usage in AFACT member countries Many of the

Download Report

Transcript Digital Signature Usage in AFACT member countries Many of the

Facilitating Cross Border Trade and Commerce through
Mutual Recognition of Digital Signatures/Certifying
Authorities
Controller of Certifying Authorities(CCA)
Ministry of Communications & Information Technology,
Government of India
Website:cca.gov.in,E-mail:[email protected]
Digital Signature Usage in AFACT
member countries
Many of the AFACT members like Japan,S. Korea,India,Chinese Taipei have
already implemented Electronic Signature Act/IT Act ,modelled on
UNCITRAL's Model Law, providing legal validity to documents signed
digitally , at par with paper signature.
The use of Digital Signatures is already widespread in many AFACT member
countries and is increasing further due to presence of strong,secure and robust
PKI environments
Why Digital Signatures?
For using Internet as a safe and secure medium
for e-Commerce and e-Governance
Most countries have given Legal Validity to
Documents signed digitally.
Electronic documents are convenient for
copying,transmission,storage.
Reduces dependence paper based documents ,
hence environment friendly.
Digital Signatures provide
Authenticity(assurance of the genuineness of the
source/signer), Integrity(assurance that
document hasn't been changed after signing)
and Non-repudiation(the signer cannot later
deny signing the document ) to electronic
documents.
Current Scenario : Public Key Infrastructure (PKI)
Digitally signed documents are signed using a Private Key
and
verified using corresponding Public Key.
Some Trusted Agency is required which certifies the
association
of an individual with the key pair.
Such trusted agencies are called “Certifying
Authorities”(CA).Most
countries
issue
licenses
to
agencies which operate as CAs.
Documents signed using Digital Signature Certificates
issues
by such recognized Certifying Authorities are
legally
equivalent to documents signed manually in
most countries.
However, a CA which is legally recognized in country
“X” may not be legally recognized in country “Y”
Limiting Recognition of Certifying
Authorities creates few inconveniences
Mr “Good-Trader” in a country “Utopia” has a Digital Signature
Certificate issued by “SecureCA”,a recognized Certifying
Authority in “Utopia” and wants to sign a document and send
it to Mr “Good-Customer” in another country “Heaven”.
However, “SecureCA” is not a recognized Certifying Authority
“Heaven”, and hence the digitally signed document lacks
legal validity in “Heaven” . To increase Mr. Good-Trader's
traders problems , no recognized Certifying Authority of
“Heaven” is having local presence in “Utopia”
Click for certificate generation demo
A possible Solution
The two countries “Utopia” and “Heaven”
can have an arrangement through which
Recognized , Licensed Certifying
Authorities in both the countries are
mutually recognized and Digital
Signatures Certificates issued by them
are accepted
The Controller of Certifying Authorities(India), which is
the regulator and facilitator of PKI Environment in
India , is in process of notifying regulations for
recognition of Foreign Certifying Authorities.
Many countries have already established arrangements
for such mutual recognition.
It is proposed, to have two sets of Regulations.
• One for recognized Foreign Certifying Authorities
operating under a Regulatory Authority comparable
to that in India.
• Other set of Regulations for those Foreign
Certifying Authorities , which are not operating
under a Regulatory Authority.
For Foreign Certifying Authorities
operating under a Regulatory
Authority
It is proposed that a Digital Signature Certificates issued by a Foreign
Certifying Authority ,which has been authorized to issue Digital Signature
Certificates by legally recognized regulatory authority of its country , will
be recognized in India, if the Controller of Certifying Authorities enters into a
memorandum of understanding with the recognized foreign regulatory
authority.
Before entering into a Memorandum of Understanding , the Controller will
ensure that the laws of the country under which such regulatory authority is
established , require a level of reliability at least equivalent to that required
for issue of a Digital Signature Certificate under the IT Act of India ,2000.
Foreign Certifying Authorities not operating under any
Regulatory Authority
Many countries do not have PKI Regulators like
India. Such Certifying Authorities may also apply for
recognition (after regulations in this regard are
published) , if the Controller is satisfied about their
reliability , security and fulfillment other conditions
We look forward to enter in MoUs with PKI Regulators
from various countries for mutual recognition of
Certifying Authorities.
The details of Regulations in this regard will be
available soon.
Path Ahead
1.
2.
3.
The Indian Regulations in this regard are to be
published soon.(these will be available at cca.gov.in)
PKI Regulators need to work together to establish
mutually acceptable Inter-operability Guidelines,security
and audit criteria. However,in case countries whose IT
Act/Electronic Signature Act is based on Model
UNCITRAL Laws have some commonalities which will
help in evolving such Guidelines.
MoUs for mutual recognition.
Thank You!!!
cca.gov.in