Indian Regulations regarding Recognition of Foreign Certifying Authorities : Facilitating Cross-Border Trade and Investmentsusing Digital Signatures

Website : cca.gov.in

E-mail: takhan@nic.in;

AFACT Members and India

AFACT members are already having strong economic linkages with India , eg ,

India - ASEAN trade : $79.3 billion (2011-12) , target of $100 billon by 2015 and $200 billion by 2022.

India - China trade : $ 67 billion (2011-12) , target of $ 100 billion by 2015

India - Iran Trade : $ 13.4 billion (2009-10) , India is also involved in projects like development of Chabahar Port , International North-South Corridor.

India – Japan Trade : $18.43 billion (2011-12),Comprehensive Economic Partnership Agreement signed.

India – Republic of Korea : $ 20.5 billion (2010-11) , target of $ 40 billion by 2015. Comprehensive Economic Partnership Agreement in force.

Cross-border trade could be further facilitated by use of Digital Signatures

Why Digital Signatures?

For using Internet as a safe and secure medium for e-Commerce and e-Governance

Most countries have already given Legal Validity to Documents signed digitally.

Electronic documents are convenient for copying,transmission,storage.

Reduces dependence paper based documents , hence environment friendly.

Digital Signatures provide Authenticity(assurance of the genuineness of the source/signer), Integrity(assurance that document hasn't been changed after signing) and Non-repudiation(the signer cannot later deny signing the document ) to electronic documents.

Digital Signature Usage in AFACT member countries

Many of the AFACT members like Japan, S.Korea, India, Chinese Taipei, Malaysia, Singapore have already implemented Electronic Signature Act/IT Act modelled on UNCITRAL's Model Law and have provided legal validity to documents signed digitally at par with paper signature.

The use of Digital Signatures is already widespread in many AFACT members and is increasing further due to presence of strong, secure and robust PKI environments

Current Scenario : Public Key Infrastructure (PKI)

Digitally signed documents are signed using a Private Key and verified using corresponding Public Key.

Some Trusted Agency is required which certifies the association of an individual with the key pair.

Such trusted agencies are called “Certifying Authorities”(CA).Most countries issue licenses to agencies which operate as CAs.

Documents signed using Digital Signature Certificate issued by such recognized Certifying Authorities are legally equivalent to documents signed manually in most countries.

However, a CA which is legally recognized in country “X” may not be legally recognized in country “Y”

Limiting Recognition of Certifying

Authorities creates few inconveniences

Mr “Good-Trader” in a country “Utopia” has a Digital Signature Certificate issued by “SecureCA”, a recognized Certifying Authority in “Utopia” and wants to sign a document and send it to Mr “Good-Customer” in another country “Heaven”.

However, “SecureCA” is not a recognized Certifying Authority in “Heaven” and hence the digitally signed document lacks legal validity in “Heaven” . To increase Mr. Good-Trader's problems , no recognized Certifying Authority of “Heaven” is having local presence in “Utopia”

A possible Solution

The two countries “Utopia” and “Heaven” can have an arrangement through which recognized ,licensed Certifying Authorities in both the countries are mutually recognized and Digital Signatures Certificates issued by them are accepted

As per Section 19 (1) of the Information Technology Act , 2000 subject to conditions and restrictions as specified by regulations in this regard, the Controller may with the previous approval of the Central Government, and by notification in the Official Gazette, recognise any foreign Certifying Authority.

Section 89 of the Information Technology Act , 2000 requires consultation with the Cyber Regulations Advisory Committee and previous approval of the Central Government for framing Regulations for recognition of Foreign CAs.

The Controller of Certifying Authorities ,following the procedure given in the IT Act , has issued Notification containing Regulations regarding Recognition of Foreign CAs.

The Notification can be accessed on CCA's website:

http://cca.gov.in/cca/sites/all/Recognition_of_foreignCA.PDF

Recognition of Foreign CAs : Indian Law

The Notification contains two sets of Regulations

One for recognized Foreign Certifying Authorities operating under a PKI Regulatory Authority comparable to that in India.

Other set of Regulations for those Foreign Certifying Authorities which are not operating under a PKI Regulatory Authority.

Recognition of Foreign CAs : Indian Law

For Foreign Certifying Authorities operating under a Regulatory Authority

Digital Signature Certificates issued by a Foreign Certifying Authority ,which has been authorized by legally recognized Regulatory Authority of its country , will be recognized in India, if the Controller of Certifying Authorities enters into a memorandum of understanding with the recognized Foreign Regulatory Authority.

Before entering into a Memorandum of Understanding , the Controller will ensure that the laws of the country under which such regulatory authority is established , require a level of reliability at least equivalent to that required for issuance of a Digital Signature Certificate under the IT Act of India ,2000

The following are some of the factors , to be used for determining the level of reliability:(a)Financial and human resources, including existence of assets within the country;(b)Trustworthiness of hardware and software systems;(c)Procedures for processing of certificates and applications for certificates and retention of records;(d)Availability of information to subscribers identified in certificates and to potential relying parties;(e)Regularity and extent of Audit by an independent body;(f)Strength of Algorithms used.

We look forward to enter in MoUs with PKI Regulators from various countries for mutual recognition of Certifying Authorities.

The details of Regulations in this regard are available on the website cca.gov.in .

Foreign Certifying Authorities not operating under any Regulatory Authority

Many countries do not have PKI Regulators like India. Certifying Authorities from such countries may also apply for recognition.

Recognition may be granted if the Controller is satisfied about their reliability , security and fulfillment other conditions.

Such CAs will have to apply to the CCA in the prescribed format. The Application should contain documents like CPS,a statement including the procedures with respect to identification of the applicant,a statement for the purpose and scope of anticipated Digital Signature Certificate technology, management, or operations to be outsourced, certified copies of the business registration documents and licences.

Further, such CAs will have to establish a Local Office in India and submit a performance bond.

International Initiatives for Cross-Border Recognition of Digital /Electronic Signatures

Regional Commonwealth in the field of Communications : The Trans-boundary Trust Space CIS Member States

http://www.en.rcc.org.ru/index.php/rcc-activities/informatization-/261211

European Union : Revision of e-Signature Directive for Cross-Border Mutual Recognition of Electronic IDs .

http://ec.europa.eu/digital-agenda/en/pillar-i-digital-single-market/action-8-revision-esignature-directive

UN/CEFACT : A Project named “Recommendation for ensuring legally significant trusted trans-boundary electronic interaction” has been proposed , Recommendation 14.

Path Ahead

1.PKI Regulators need to work together to establish mutually acceptable Inter-operability Guidelines, security and audit criteria. However, in case countries whose IT Act/Electronic Signature Act is based on Model UNCITRAL Laws have some commonalities which will help in evolving such Guidelines.

2.MoUs for Mutual Recognition

3. Initiated with Korea through KISA, Iran through GRCA, Russia, Israel, Nepal, China, UNESCAP SRO-SSWA etc.

4.Seeking expression of interest with other AFACT members

Thank You

Controller of Certifying Authorities(India)

Website : cca.gov.in

E-mail: takhan@nic.in