Digital certificates are here to stay

It’s almost a year since the first digital certificate was issued to the then IT minister, Pramod Mahajan by the country’s first certifying authority, SafeScrypt. Srikanth R P takes a look at the digital certificate market that is slowly but gradually emerging, and spreading its roots across diverse sectors

With the Indian IT Act 2000 granting legal status to digital signatures, documents signed by digital certificates are acceptable in Indian courts, says Dasharathaman

If you have ever visited a stockbroking firm, chances are you’d witness huge volumes of paper being generated and bills frantically sent to clients. This nightmarish paper trail scenario remains just as bad even at an online trading firm, because even online brokers have to send contract notes to clients because of SEBI guidelines. Under SEBI and stock exchange guidelines, every stockbroker has to issue a contract note to a client at the end of each trading day. This note must contain details of all transactions for that day and must be issued within 24 hours of the trade.

What this means for a typical broking firm is investments on huge resources in manpower and logistics to ensure that contract notes are delivered to clients within the stipulated deadlines. ICICIdirect.com, the market leader in online trading, faced this situation as it had more than 1,59,000 customers who were using its services on a regular basis. Rather than being burdened with sending the contract notes, ICICIdirect.com took the smart way out.

The outfit simply switched over to contract notes that could be authenticated using digital certificates. This solution not only helped authorised signatories at ICICIdirect.com in digitally signing each of the contract notes generated daily, but also enabled the company’s customers to log onto their designated portions of the portal and verify the digital signatures and signed contents. Using digital certificates, the lengthy process of validating and delivering contract notes could be completed in a jiffy.

Adoption rates picking up
In a span of about a year since the first digital certificate was launched, digital certificates are gradually making their way into every possible business scenario. For instance, India’s leading software services firm Infosys uses digital certificates from SafeScrypt to sign and encrypt e-mail related to top management of the firm.

Even government agencies, typically known to be laggards when it comes to adoption of new technologies, are jumping on the bandwagon by adopting digital certificates. For instance, the Director General of Foreign trade (DGFT) recently took a revolutionary step by mandating that all DGFT transactions would henceforth be signed with digital signatures. As all EXIM notifications and public notices would be transmitted with digital signatures, the exporting community who apply for import/export licenses will now be able to interact directly with DGFT on a secured electronic platform, which will facilitate paperless verification and processing. Similarly, educational institutions like the DOEACC (Department of Education for Accredited Computer Courses) and IGNOU (Indira Gandhi National Open University) are using digital signatures for students to register online.

When digital certificates were first launched, very few industry analysts were optimistic about adoption rates as India has traditionally been slow in adopting new technologies. But the above instances of adoption in diverse sectors prove that digital certificates are slowly but surely making their presence felt in India.

Market scenario
The current scenario with respect to digital certificates can be best described as evolutionary, with every player trying to push this concept by educating users on the need for and benefits of digital certificates. Currently, the Indian market has four players in the arena—SafeScrypt, IDRBT, TCS and NIC—who are licensed by the government to issue digital certificates. The most aggressive player of this lot, SafeScrypt, has not only managed to create a huge client list for its digital certificates but more importantly, has been able to convince corporates in diverse sectors to adopt digital certificates.

Companies such as ICICI Web Trade, Infosys, NSE.IT, DOEACC, IGNOU and DGFT are all SafeScrypt clients. Naturally, SafeScrypt is bullish on its prospects. Says K Dasharathaman, managing director of SafeScrypt, “Digital signatures are here to stay. We see immense potential in virtually every sphere of business for deriving benefits from this technology. With the Indian IT Act 2000 granting legal status to digital signatures and granting digital signatures the same status as physically signed information, documents signed by digital certificates are acceptable in Indian courts. What is encouraging is the fact that despite it being new technology and the current environment for all businesses in India, the technology has received a tremendous response here. We expect to sell close to 15,000 certificates in India by the end of this quarter.”

Internet banking facilities will remain basic and under-utilised so long as they are not supported by proper trust and security mechanisms, says Robert Raja

Sectors to drive growth
While digital certificates are useful in almost every industry sector, one of the most important sectors where digital certificates could make an impact is the banking sector, where confidentiality of data is more important than perhaps in any other sector. This is the space that most players are looking to tap in a big way. Players like IDRBT (Institute for Development and Research in Banking Technology) are pushing digital certificates aggressively for adoption by banking players.

Says V P Gulati, director of IDRBT, “Our primary goal is absorption of IT in banks and financial institutions and not really selling digital certificates towards commercial objectives. We give certificates to banks and financial institutions since we believe that this is the base of the pyramid on which the whole digital certificate market will expand. Though the Indian digital signature market is in a nascent stage, the real potential will evolve once all bank applications are PKI-enabled and the common customer starts using digital signatures in the same way that he uses credit cards today.” Despite being non-commercially oriented, IDRBT has issued more than 900 digital certificates in an extremely short period of approximately seven months since it received its license for issuing certificates in August 2002.

Adds Robert Raja, managing director of Odyssey Technologies and one of the members of the advisory group on PKI technology, “Many banks in the country offer Internet banking facilities. These facilities will remain basic and under-utilised so long as they are not supported by proper trust and security mechanisms. This would mean all investments would remain under-utilised too, because of lack of security. Digital signatures can provide this trust and security. Additionally, in a country like ours, there is a huge opportunity in distribution-based industries such as FMCG, pharmaceuticals and automobiles. Many of them have already invested substantial sums of money on IT. Adding the security and trust elements to their applications would greatly help in realising the benefits of their IT initiatives.”

Industry analysts also believe that digital certificates would be made mandatory in a few years from now for high-value banking transactions where confidentiality of data is critical. Players like SafeScrypt also expect deployments to pick up in corporate supply chains and in ITES applications.

Key challenges
In spite of the tremendous gains made by players in the digital certificate market, there are many key challenges, which need to be addressed for the industry to take off even higher. For instance, there is still a lack of awareness in the market and most users still view digital certificates as a technology rather than as a business enabler.

Robert Raja of Odyssey Technologies sums up the scenario in the Indian context almost perfectly when he says, “We need to remember that digital signatures seek to replace manual signatures, which have been in vogue for centuries. The challenge is daunting and acceptability will come only through applications. Just having digital signature technology would lead to no real growth. This is the reason why a lack of adequate software applications remains the biggest challenge to this market. For instance, in spite of PKI being around for nearly a decade, and in India itself for a couple of years, we still talk only about secure e-mailing and SSL connections to websites, which in our opinion are necessary, but mundane. One should understand that PKI, as the name suggests, is an infrastructure, like the power grid or rails or roads. Without adequate end-appliances, this infrastructure would remain mere infrastructure, like roads without cars. This is what is happening with PKI at the moment. The other big challenge, the end-user cost part, will probably cease to be a challenge once a large number of applications use the same certificate and the cost is amortised over a large number of utilities.”

There is also a misconception in the market that PKI applications have to be supported by a huge population of digital certificates. Explains Raja, “There are a whole array of applications where one or two certificates can be deployed to bring enormous cost savings. Think of identity management and authorisation applications. Some government agencies are managing identities and authorising its citizens-authorisation for driving, voting or for purchasing goods from the public distribution system. But what most people don’t know is that it takes a single digital certificate for the transport officer to issue digitally signed licenses, consisting all the identity information of the concerned person. You will find that licenses can be issued at a far cheaper cost than using expensive smart cards as is now resorted to in some states. Since the licenses are digitally signed, they are unalterable and at the same time verifiable with a very simple process. The license holder can make any number of official copies of his license, but does not have the ability to even alter even a space. This model can be extended to other commercial and educational frameworks.”

With more and more states looking at e-governance initiatives, the market for digital certificates could receive a well-needed fillip from that sector too. While the Indian digital certificate market is still in a nascent stage, the small pockets of adoption in diverse sectors could definitely help in spreading awareness about this technology.