Organisation : Controller of Certifying Authorities(CCA)
Service Name : Signature Verification & Digital Signature Certificate
Applicable States/UTs : All Over India
Website : http://cca.gov.in/signature_verification.html
|If you have any questions on this post, please ask.
Go to bottom of this page to comment.
CCA Signature Verification
The procedure for verification of signature is specified in Digital Signature (End entity rules) 2015 and also in Annexure IV – Application Developer Guidelines of Interoperability Guidelines for DSC (CCA-IOG).
For verification of Digital Signature of any individual, whether I need the certificates of the signer and the issuing CA?
Yes. Signer’s certificate and the complete issuer chain of certificates up to the Root certificate are required. The chain may either be part of Digital Signature or be made available to the verifier by the application service provider. Microsoft products carry Root Certificate of India.
If not present locally in the verification system, it can be downloaded from http://cca.gov.in. In the case of application based verification, applications need to make available the Root Certificate to the verification component.
How can a digitally signed document be verified after the DSC associated with the Public Key has expired?
The digital signature verification process for a document requires the signer’s public key, issuer certificates and their CRLs. CA will make available the issuer certificates and CRLs till the expiry of DSCs.
For the requirements of verification beyond expiry of DSCs, the application should therefore have a provision to locally store DSCs issuer certificate and their CRL’s at the time when the document was digitally signed.To enable the verification of documents long time after the affixing of signature, it is recommended to use long term archival signature format for the signature.
Digital Signature Certificate
Should individual’s signature and encryption certificate be different?
Yes, The signature and encryption certificate should be separate for an individual. The encryption keys are to be generated at the subscriber’s system and should be archived prior to transfer into crypto-medium. The signature keys should be generated in the crypto-medium and should not be copied.
Does one require multiple certificates for different application?
No, Ideally, there should not be any requirement for different certificates, however the person holding lower assurance Class 2 certificate may require higher assurance Class 3 certificates for application which demand the same.
The higher assurance Class 3 certificates can be used where ever application requires lower assurance certificate. Apart from assurance, depending on the information included in the DSC (For example PAN Number may be required by application) additional certificate may be required.
Whether a person is allowed to take multiple certificates from different CAs?
Whether CAs will have information on the signature carried out by subscribers?
CAs will not have any information on the signatures applied by the subscribers after the issuance of DSC. The application owners or subscribers themselves can keep records of the signature affixed by them.
Whether Aadhaar eKYC based authentication can be treated as signature of individual?
Aadhaar eKYC based authentication provides the electronic identity of an individual at a particular point of time. It cannot be used at later point of time to authenticate documents or transactions, whereas the Digital Signature provides the electronic authentication of individual and bind it to the documents or transactions being signed.
The intention of signatory for a particular transaction or document can be conveyed in a verifiable form at any point of time in the future only by using electronic signature. Such Digital signature applied by individuals can be verified independently using software. As per IT Act, the electronic records need to be authenticated by using Electronic Signature.
Whether my signature will be valid after the expiry of certificate?
Signatures are to be verified with respect to signature affixing time. If the certificate is valid at the time of signature, the signature is deemed to be valid.
Is there a “Specimen Digital Signature” like paper signature?
No. The Digital signature changes with content of the message.
Whether it is possible to sign an electronic record without the knowledge of a signer?
It depends upon the how the subscriber has kept his private keys. If private key is not stored securely, then it can be misused to sign an electronic record without the knowledge of the owner of the private key.
In paper world, date and the place where the paper has been signed is recorded and court proceedings are followed on that basis. What mechanism is being followed for dispute settlements in the case of digital signatures?
Under the IT Act, 2000 Digital Signatures are at par with hand written signatures. Therefore, similar court proceedings will be followed. The requirements of recording of date and time can be addressed through Time Stamping.