Digital Signature Certificate

1. How do I get a Digital Signature Certificate And Signature ?
The Office of Controller of Certifying Authorities (CCA), issues Certificate only to Certifying Authorities.CA issue Digital Signature Certificate to end-user. You can approach any one of the seven CAs for getting Digital Signature Certificate. The website addresses are given below.
www.safescrypt.com www.nic.in www.idrbtca.org.in
www.tcs-ca.tcs.co.in www.mtnltrustline.com www.ncodesolutions.com
www.e-Mudhra.com
2. Who are the CAs licensed by the CCA?
Safescript NIC IDRBT
TCS MtnlTrustline GNFC
e-Mudhra CA
3. What is the function of the Root certificate ?
The RCAI Root certificate is the highest level of certification in India. It is used to sign the public keys of the Licensed CAs in India. The RCAI root certificate is a self-signed certificate.
4. Where do I get CCAs Root Certificate ?
CCAs Root certificate can be downloaded from CCAs web site cca.gov.in
5. Is Root Certificate free ?
Yes, it can be downloaded from CCA website.
6. What are the different classes of Digital Signature Certificates?
In addition to four classes of certificates given below, the Certifying Authority may issue more classes of Public Key Certificates, but these must be explicitly defined including the purpose for which each class is used and the verification methods underlying the issuance of the certificate. The suggested four classes are the following :-
Class 0 Certificate: This certificate shall be issued only for demonstration/ test purposes.
Class 1 Certificate: Class 1 certificates shall be issued to individuals/private subscribers. These certificates will confirm that user's name (or alias) and E-mail address form an unambiguous subject within the Certifying Authorities database.
Class 2 Certificate: These certificates will be issued for both business personnel and private individuals use. These certificates will confirm that the information in the application provided by the subscriber does not conflict with the information in well-recognized consumer databases.
Class 3 Certificate: This certificate will be issued to individuals as well as organizations. As these are high assurance certificates, primarily intended for e-commerce applications, they shall be issued to individuals only on their personal (physical) appearance before the Certifying Authorities.
7. Does a person require multiple Digital Signatures Certificates for different places or organizations ?
It is not mandatory. However, certificates could be issued for different purposes to the same individual. e.g. by the bank where the individual has an account, by the government to the individual as a citizen etc.
8. How does cross-border inter-operability work in relation to digital signatures ?
Clearly, all certificates, not to mention technology applications, cannot and would not be issued by a single CA. Multiple CA's do and must exist. Inter operability between CAs- national and cross-border - has been addressed as Cross Certification. As per Information Technology (Certifying Authority) Rules, 2000
The licensed CA shall have arrangement for cross certification with other licensed CAs within India, which shall be submitted to the Controller before the commencement of their operations as per rule 20. Disputes arising as a result of such arrangements shall be submitted to CCA, India for arbitration or resolution.
The arrangement for cross certification by the licensed CA with a foreign CA along with the application shall be submitted to CCA, India. The licensed CA shall not commence cross certification operations unless it has obtained the written or digital signature approval from CCA, India.
9. How often is auditing done? (Auditing Cycle Period)? Whether it is continuous process ?
Yes, auditing is a continuous process. According to the rules under IT Act 2000.
a. The CA shall get its operations audited annually by an auditor and such audit shall include security policy and planning, physical security, technology evaluation, CA's services administration, compliance to CPS, contracts/agreements, regulation prescribed by CCA, policy requirement of CA Rules, 2000. The CA shall conduct -
b. half yearly internal audit of security policy, physical security and planning of its operation,
10. What types of measures are being executed by CCA for licensing a CA ?
Detailed information, financial, technical and procedural is obtained from the CA as part of the application for license. These are examined and audited. Additionally, the following are done: - Supervision of activities of CAs. - Auditing of CPS - Auditing Hardware/Software - Certifying public key of CA. - Laying down standards to be maintained by CAs to ensure continues compliance to the requirements of the IT ACT 2000
11. What is CPS ?
CPS (Certification Practice Statement): A statement of the practices, which a certification authority employs in issuing and managing certificates. A CPS may take the form of a declaration by the CA of the details of its trustworthy system and the practices it employs in its operations and in support of issuance of a certificate. General CPS framework is given in the guidelines.
12. Whether CPS differs for one CA to another CA ?
Yes
13. What is the legal sanctity of a certificate issued by outside CA (CA of a foreign country) ?
The sanctity of such a certificate will be as per the agreement between outside CA and a licensed CA in India. Such an agreement has to be approved by the CCA.
14. Can CA have sub CA? Or can there be a concept of root CA, CA and sub CA ?
No. As per IT Act, 2000 there is no provision of a sub CA. All CAs must be granted license by CCA, India. In case of any dispute, the CA licensed by CCA will be answerable.
15. If a person is transferred from one post to another (say in govt. department), the digital signature will also change (yes/no)? Please explain ?
Yes. On moving from one department to another, if the procedures in place so demand, then the existing certificate will be revoked and a new one issued. In any case, the digital signature generated is different each time, even if the same key has been used.
16. In what format the public key should be given to CA for certification ?
In PKCS #10 format
17. In paper world, date and the place where the paper has been signed is recorded and court proceedings are followed on that basis. What mechanism is being followed for dispute settlements in the case of digital signatures ?
Under the IT Act, 2000 Digital Signatures are at par with hand written signatures. Therefore, similar court proceedings will be followed.
18. What is the extent of liability of a CA in case of anti-national activities performed by a subscriber using digital signature and secure encrypted communication ?
CA has no liability, since CA is only facilitating end-to-end secure communication using digital signature.
19. Can a person have two digital signatures say one for official use and other one for personal use ?
Yes.
20. One can sign a paper without the knowledge of a signer. Is it possible in digital signature also ?
It depends upon the how the subscriber has kept his private keys. If private key is not stored securely, then it can be misused without the knowledge of the owner of the private key.
21. Is there a "Specimen Digital Signature" like paper signature ?
No. The Digital signature changes with content of the message.
22. Can digital signature be employed in wireless network ?
Yes
23. Does one require multiple certificates for different banks ?
Ideally, not within the same class.
24. What is the difference between RA(Registration Authority) and CA(Certifying Authority) ?
RA interacts with the subscribers for providing CA services. The RA is subsumed in the CA, which takes total responsibility for all actions of the RA.
25. If somebody uses others computer, instead of his own computer, then is there any possibility of threat to the security of the owners/users digital signature ?
No, there is no threat to the security of the owner / users digital signature, if the private key lies on the smartcard /crypto token and does not leave the SmartCard / Cryptotoken.
26. Does CCA enforce Disaster Recovery Centre for CAs ?
Yes, it is a mandatory requirement under IT Act 2000
27. If CA is out of business then if the subscriber is told to move to another CA then the subscriber has to get a new digital certificate. What happens to his/her earlier transactions ? Does this not create a legal and financial problem ?
Prior to cessation of operations the CA has to follow procedures as laid down under the IT Act. Such problems should not therefore exist.
28. When you cancel an earlier communication you can get it back, how does this work in e-environment ?
A new message saying that the current message supersedes the earlier one can be sent to the recipient(s). This assumes that all messages are time stamped.
Important links for Digital Certificate and Digital Signature
Steps to get Digital Signature Certificate Steps for download and install certificate
Check Expired Root Certficates PKI Framework
CCA Organisation IT Act Amendment(2008)
Storage of private keys - do's and dont's Digital Certificate Interoparability-Notification 2011
CA Certificate Digital Certificate and Signature Regulations
Digital Certificate and e-security DSC Guidelines 2.4
Digital Signature Certificate Interoperability Guidelines r2.0 IT Act Amendment(2008) Rules
RFC guidelines for Digital Certificate: - http://www.ietf.org/rfc/rfc3280.txt RFC guidelines for Digital Signature: - http://tools.ietf.org/html/rfc3125 and http://tools.ietf.org/html/rfc2154
Google Digital Certificate and Signature Images - http://bit.ly/MQseUf