Facilitating Cross Border Trade and Commerce through Mutual Recognition of Digital Signatures/Certifying Authorities Controller of Certifying Authorities(CCA) Ministry of Communications & Information Technology, Government of India Website:cca.gov.in,E-mail:info@cca.gov.in Digital Signature Usage in AFACT member countries Many of the AFACT members like Japan,S. Korea,India,Chinese Taipei have already implemented Electronic Signature Act/IT Act ,modelled on UNCITRAL's Model Law, providing legal validity to documents signed digitally , at par with paper signature. The use of Digital Signatures is already widespread in many AFACT member countries and is increasing further due to presence of strong,secure and robust PKI environments Why Digital Signatures? For using Internet as a safe and secure medium for e-Commerce and e-Governance Most countries have given Legal Validity to Documents signed digitally. Electronic documents are convenient for copying,transmission,storage. Reduces dependence paper based documents , hence environment friendly. Digital Signatures provide Authenticity(assurance of the genuineness of the source/signer), Integrity(assurance that document hasn't been changed after signing) and Non-repudiation(the signer cannot later deny signing the document ) to electronic documents. Current Scenario : Public Key Infrastructure (PKI) Digitally signed documents are signed using a Private Key and verified using corresponding Public Key. Some Trusted Agency is required which certifies the association of an individual with the key pair. Such trusted agencies are called “Certifying Authorities”(CA).Most countries issue licenses to agencies which operate as CAs. Documents signed using Digital Signature Certificates issues by such recognized Certifying Authorities are legally equivalent to documents signed manually in most countries. However, a CA which is legally recognized in country “X” may not be legally recognized in country “Y” Limiting Recognition of Certifying Authorities creates few inconveniences Mr “Good-Trader” in a country “Utopia” has a Digital Signature Certificate issued by “SecureCA”,a recognized Certifying Authority in “Utopia” and wants to sign a document and send it to Mr “Good-Customer” in another country “Heaven”. However, “SecureCA” is not a recognized Certifying Authority “Heaven”, and hence the digitally signed document lacks legal validity in “Heaven” . To increase Mr. Good-Trader's traders problems , no recognized Certifying Authority of “Heaven” is having local presence in “Utopia” Click for certificate generation demo A possible Solution The two countries “Utopia” and “Heaven” can have an arrangement through which Recognized , Licensed Certifying Authorities in both the countries are mutually recognized and Digital Signatures Certificates issued by them are accepted The Controller of Certifying Authorities(India), which is the regulator and facilitator of PKI Environment in India , is in process of notifying regulations for recognition of Foreign Certifying Authorities. Many countries have already established arrangements for such mutual recognition. It is proposed, to have two sets of Regulations. • One for recognized Foreign Certifying Authorities operating under a Regulatory Authority comparable to that in India. • Other set of Regulations for those Foreign Certifying Authorities , which are not operating under a Regulatory Authority. For Foreign Certifying Authorities operating under a Regulatory Authority It is proposed that a Digital Signature Certificates issued by a Foreign Certifying Authority ,which has been authorized to issue Digital Signature Certificates by legally recognized regulatory authority of its country , will be recognized in India, if the Controller of Certifying Authorities enters into a memorandum of understanding with the recognized foreign regulatory authority. Before entering into a Memorandum of Understanding , the Controller will ensure that the laws of the country under which such regulatory authority is established , require a level of reliability at least equivalent to that required for issue of a Digital Signature Certificate under the IT Act of India ,2000. Foreign Certifying Authorities not operating under any Regulatory Authority Many countries do not have PKI Regulators like India. Such Certifying Authorities may also apply for recognition (after regulations in this regard are published) , if the Controller is satisfied about their reliability , security and fulfillment other conditions We look forward to enter in MoUs with PKI Regulators from various countries for mutual recognition of Certifying Authorities. The details of Regulations in this regard will be available soon. Path Ahead 1. 2. 3. The Indian Regulations in this regard are to be published soon.(these will be available at cca.gov.in) PKI Regulators need to work together to establish mutually acceptable Inter-operability Guidelines,security and audit criteria. However,in case countries whose IT Act/Electronic Signature Act is based on Model UNCITRAL Laws have some commonalities which will help in evolving such Guidelines. MoUs for mutual recognition. Thank You!!! cca.gov.in