ESign (India)

Last updated

Aadhaar eSign is an online electronic signature service in India to facilitate an Aadhaar holder to digitally sign a document. [1] The signature service is facilitated by authenticating the Aadhaar holder via the Aadhaar-based e-KYC (electronic Know Your Customer) service. [2]

Contents

To eSign a document, one has to have an Aadhaar card and a mobile number registered with Aadhaar. With these two things, an Indian citizen can sign a document remotely without being physically present.

Procedure

The notification [2] issued by Government of India in this regard stipulates the following procedure for the e-authentication using Aadhaar e-KYC services.

Authentication of an electronic record by e-authentication technique, which shall be done by

  1. the applicable use of e-authentication, hash function, and asymmetric cryptosystem techniques, leading to issuance of digital signature certificate by Certifying Authority,
  2. a trusted third party service by subscriber's key pair generation, storing of the key pairs on hardware security module and creation of digital signature provided that the trusted third party shall be offered by the certifying authority (the trusted third party shall send application form and certificate signing request to the Certifying Authority for issuing a digital signature certificate to the subscriber),
  3. issuance of digital signature certificate by Certifying Authority shall be based on e-authentication, particulars given in the prescribed format, digitally signed verified information from Aadhaar e-KYC services and electronic consent of digital signature certificate applicant,
  4. the manner and requirements for e-authentication shall be as issued by the Controller from time to time,
  5. the security procedure for creating the subscriber's key pair shall be in accordance with the e-authentication guidelines issued by the Controller,
  6. the standards referred to in rule 6 of the Information Technology (Certifying Authorities) Rules, 2000 shall be complied with, in so far as they relate to the certification function of public key of Digital Signature Certificate applicant, and
  7. the manner in which information is authenticated by means of digital signature shall comply with the standards specified in rule 6 of the Information Technology (Certifying Authorities) Rules, 2000 in so far as they relate to the creation, storage and transmission of Digital Signature. [3]

eSign Service Providers

Organisations and individuals seeking to obtain the eSigning Service can utilize the services of various service providers. There are empanelled service providers with whom organisations can register as an Application Service Prover after submitting the requisite documents, getting UAT access, building the application around the service and going through an IT Audit by an CERT-IN empanelled auditor. [4]

However, the process of registering as an Application Service Provider is cumbersome, and requires huge investments of time, money and resources in complying with the regulations and building a suitable application. Most organisations prefer using services of plug-n-play gateway providers who take the responsibility of complying with the regulations, hence simplifying the process for the market.

See also

Related Research Articles

<span class="mw-page-title-main">Authentication</span> Act of proving an assertion

Authentication is the act of proving an assertion, such as the identity of a computer system user. In contrast with identification, the act of indicating a person or thing's identity, authentication is the process of verifying that identity. It might involve validating personal identity documents, verifying the authenticity of a website with a digital certificate, determining the age of an artifact by carbon dating, or ensuring that a product or document is not counterfeit.

<span class="mw-page-title-main">Digital signature</span> Mathematical scheme for verifying the authenticity of digital documents

A digital signature is a mathematical scheme for verifying the authenticity of digital messages or documents. A valid digital signature on a message gives a recipient confidence that the message came from a sender known to the recipient.

<span class="mw-page-title-main">Public key infrastructure</span> System that can issue, distribute and verify digital certificates

A public key infrastructure (PKI) is a set of roles, policies, hardware, software and procedures needed to create, manage, distribute, use, store and revoke digital certificates and manage public-key encryption.

In cryptography, a public key certificate, also known as a digital certificate or identity certificate, is an electronic document used to prove the validity of a public key. The certificate includes the public key and information about it, information about the identity of its owner, and the digital signature of an entity that has verified the certificate's contents. If the device examining the certificate trusts the issuer and finds the signature to be a valid signature of that issuer, then it can use the included public key to communicate securely with the certificate's subject. In email encryption, code signing, and e-signature systems, a certificate's subject is typically a person or organization. However, in Transport Layer Security (TLS) a certificate's subject is typically a computer or other device, though TLS certificates may identify organizations or individuals in addition to their core role in identifying devices. TLS, sometimes called by its older name Secure Sockets Layer (SSL), is notable for being a part of HTTPS, a protocol for securely browsing the web.

An electronic signature, or e-signature, is data that is logically associated with other data and which is used by the signatory to sign the associated data. This type of signature has the same legal standing as a handwritten signature as long as it adheres to the requirements of the specific regulation under which it was created.

<span class="mw-page-title-main">Electronic identification</span> Digital proof of identity

An electronic identification ("eID") is a digital solution for proof of identity of citizens or organizations. They can be used to view to access benefits or services provided by government authorities, banks or other companies, for mobile payments, etc. Apart from online authentication and login, many electronic identity services also give users the option to sign electronic documents with a digital signature.

<span class="mw-page-title-main">Permanent account number</span> Code that acts as an identification for individuals, families and corporates

A permanent account number (PAN) is a ten-character alphanumeric identifier Foundational ID, issued in the form of a laminated "PAN card", by the Indian Income Tax Department, to any person who applies for it or to whom the department allots the number without an application. It can also be obtained in the form of a PDF file known as e-PAN from the website of the Indian Income Tax Department.

A credential service provider (CSP) is a trusted entity that issues security tokens or electronic credentials to subscribers. A CSP forms part of an authentication system, most typically identified as a separate entity in a Federated authentication system. A CSP may be an independent third party, or may issue credentials for its own use. The term CSP is used frequently in the context of the US government's eGov and e-authentication initiatives. An example of a CSP would be an online site whose primary purpose may be, for example, internet banking - but whose users may be subsequently authenticated to other sites, applications or services without further action on their part.

A mobile signature is a digital signature generated either on a mobile phone or on a SIM card on a mobile phone.

Electronic authentication is the process of establishing confidence in user identities electronically presented to an information system. Digital authentication, or e-authentication, may be used synonymously when referring to the authentication process that confirms or certifies a person's identity and works. When used in conjunction with an electronic signature, it can provide evidence of whether data received has been tampered with after being signed by its original sender. Electronic authentication can reduce the risk of fraud and identity theft by verifying that a person is who they say they are when performing transactions online.

A Digital Postmark (DPM) is a technology that applies a trusted time stamp issued by a postal operator to an electronic document, validates electronic signatures, and stores and archives all non-repudiation data needed to support a potential court challenge. It guarantees the certainty of date and time of the postmarking. This global standard was renamed the Electronic Postal Certification Mark (EPCM) in 2007 shortly after a new iteration of the technology was developed by Microsoft and Poste Italiane. The key addition to the traditional postmarking technology was integrity of the electronically postmarked item, meaning any kind of falsification and tampering will be easily and definitely detected.

PAdES is a set of restrictions and extensions to PDF and ISO 32000-1 making it suitable for advanced electronic signatures (AdES). This is published by ETSI as EN 319 142.

Biometrics refers to the automated recognition of individuals based on their biological and behavioral characteristics, not to be confused with statistical biometrics; which is used to analyse data in the biological sciences. Biometrics for the purposes of identification may involve DNA matching, facial recognition, fingerprints, retina and iris scanning, voice analysis, handwriting, gait, and even body odor.

<span class="mw-page-title-main">Digital India</span> Online infrastructure in India

Digital India is a campaign launched by the Government of India to make its services available to citizens electronically via improved online infrastructure and by increasing Internet connectivity. The initiative includes plans to connect rural areas with high-speed internet networks. It consists of three core components: the development of secure and stable digital infrastructure, delivering government services digitally, and universal digital literacy.

DigiLocker is an Indian state-owned digitization service provided by the Indian Ministry of Electronics and Information Technology (MeitY) under its Digital India initiative. DigiLocker allows access to digital versions of various documents including driver's licenses, vehicle registration certificates and academic mark sheets. It also provides 1 GB storage space to each account to upload scanned copies of legacy documents.

eIDAS EU electronic identification regulation

eIDAS is an EU regulation with the stated purpose of governing "electronic identification and trust services for electronic transactions". It passed in 2014 and its provisions came into effect between 2016 and 2018.

A trust service provider (TSP) is a person or legal entity providing and preserving digital certificates to create and validate electronic signatures and to authenticate their signatories as well as websites in general. Trust service providers are qualified certificate authorities required in the European Union and in Switzerland in the context of regulated electronic signing procedures.

A secure signature creation device (SSCD) is a specific type of computer hardware or software that is used in creating an electronic signature. To be put into service as a secure signature creation device, the device must meet the rigorous requirements laid out under Annex II of Regulation (EU) No 910/2014 (eIDAS), where it is referred to as a qualified (electronic) signature creation device (QSCD). Using secure signature creation devices helps in facilitating online business processes that save time and money with transactions made within the public and private sectors.

India Stack refers to the project of creating a unified software platform to bring India's population into the digital age. Its website describes its mission as follows: "India Stack is a set of open APIs that allows governments, businesses, startups and developers to utilize a unique digital Infrastructure to solve India’s hard problems towards presence-less, paperless, and cashless service delivery" Of the four "distinct technology layers" mentioned on the same page, the first, the "Presenceless Layer" is the most controversial as it involves storing biometric data such as fingerprints for every citizen. Since such markers are widely being adopted to enable cashless payment, the issue arises of fraudulent use of biometrics. The other layers are the Paperless Layer, which enables personal records to be associated with one's online identity; the Cashless Layer, a single interface to all national banks and online wallets; and the Consent Layer, which aims to maintain security and control of personal data.

Smart-ID is an electronic authentication tool developed by SK ID Solutions, an Estonian company. Users can log in to various electronic services and sign documents with an electronic signature.

References

  1. "eSign – Online Digital Signature Service". Controller of Certifying Authorities, Govt. of India. Retrieved 31 May 2015.
  2. 1 2 "Ministry of Communications and Information Technology (Department of Electronics and Information Technology) Notification" (PDF). The Gazette of India (Extraordinary) (in Hindi and English). No. 59. 28 January 2015. Archived from the original (PDF) on 2015-07-06. Retrieved 31 May 2015.
  3. Asthana, Subodh (2019-06-21). "All You Want to Know about Digital & Electronic Signature". iPleaders. Retrieved 2023-08-25.
  4. "Empanelled eSign Service Providers". Controller of Certifying Authorities, Govt. of India.