Security Special: Digital Signatures

It’s early days for digital signatures in India

Though Indian enterprises are gradually adopting digital signatures and cryptography, things are still in the pilot stage, says Abhinav Singh

The adoption rate for digital signatures in India by Indian enterprises has been pretty pathetic and highly disappointing due to the lack of awareness about the concept, says Pavan Duggal

The market for digital signatures and cryptography got a shot in the arm from the Government of India’s IT Act, 2000, when the authorities came out with a detailed policy on digital signatures, gave legal status to digital signatures and recognised e-commerce transactions. Section 3 of the IT Act states that any subscriber may authenticate an electronic record by affixing his digital signature to it. However, three years after this watershed event, adoption of digital signatures in India, especially by government departments, is slow. The silver lining is that usage is picking up in organisations such as the Director General of Foreign trade (DGFT). Educational institutions like the DOEACC (Department of Education for Accredited Computer Courses) and IGNOU (Indira Gandhi National Open University) are using digital signatures to help students register online.

E-commerce—the white knight that wasn’t

Shopping and auction sites such as Sifymall, Baazee, Rediff and Fabmall are employing digital certificates to prove to visitors that they are who they claim to be. With organisations like the Indian Railways and various airlines offering online ticketing and booking facilities, valid digital certificates and signatures are essential for maintaining authenticity and credibility.

Net banking—secured by cryptography

IDRBT (Institute for Development and Research in Banking Technology), the technology arm of the Reserve Bank of India, is pushing the concept of digital signatures with nationalised banks. Online banking transactions are driving the usage of digital signatures and certificates are gaining ground in the banking sector. Many Indian banks—ICICI Bank, Citibank and HDFC Bank are notable mentions here—as well as the National Stock Exchange and many share depositories are also using digital certificates on their websites. This is powering the market for server certificates that let visitors to a site authenticate the site’s identity so that they feel secure while communicating with their bank or depository online. Server certificates let financial institutions and their customers exchange confidential information in a secure manner. Digital signatures in the server certificate are used to generate the hash for encrypting and decrypting SSL traffic to and from the e-commerce server. This kind of certificate is useful for B2B sites such as supplier portals that let a company’s Tier 2 and 3 suppliers access information regarding product availability, shipping dates and manage inventory.

Growing Net usage is helping

Despite pathetic infrastructure, Internet usage in India is on the rise, leading to a growth in the number of personal certificates being used by individuals. The killer app here is to sign e-mail with a personal digital certificate. That said, server certificates are more popular.

Surendra Singh, who heads RSA Security’s South-Asian operations says, "Server certificates are more popular than personal certificates as people still fear that legal disputes may arise as a consequence of using personal certificates."

Trimming the paper trail

The need to reduce the quantum of paperwork in an organisation is another driver. Companies prefer to conduct legal and business transactions online and are adopting certificates that authenticate such transactions. Suresh Raman, head of Marketing at Microland, says, "Digital signatures and certificates are a step in the direction of minimising paperwork." Popular software such as Outlook Express, Outlook and Netscape Mail come equipped to handle digital certificates.

Urmez Daver, marketing services manager for Safe-Scrypt says, "Very rarely do we see a product which is not capable of handling digital certificates and signatures. We just have to plug in certificates into the existing products."

Server certificates are more popular than personal certificates as people still fear that legal disputes may arise as a consequence of using personal certificates, says Surendra Singh

Dipping a toe in cryptographic water

Indian enterprises are evaluating digital signatures and certificates. Although a large number of enterprises use them for signing e-mail, they are still running pilot projects to assess the usability of digital signatures. The banking, financial services and insurance sector cannot do without digital certificates for its online presence, but Indian enterprises seem to feel that they can do fine without them for the greater part. Pavan Duggal, advocate at the Supreme Court of India and founder president of Cyber Law India says, "The adoption rate for digital signatures in India by Indian enterprises has been pretty pathetic and highly disappointing due to the lack of awareness about the concept. The dotcom bust and the consequent condition of the economy has also contributed to this scenario."

Glacial growth

Talk to vendors and it’s apparent that the adoption of digital signatures and certification isn’t going to skyrocket very soon. Companies selling these solutions are hoping that the market will take off in the next couple of years. There are concerns regarding uniform control and policy over certifying authorities. The Controller of Certification Authorities (CCA) of the Ministry of Communication & Information Technology has given ICICI Infotech the contract for the supply and installation of the National Root Certification Authority, with an aim to bring uniformity amongst different certifying authorities in India. Duggal adds, "Once banks and other government enterprises start using digital signatures in a big way, it will be a turning point in the usage and adoption of digital signatures and certificates in India. People will then get convinced about the merits of digital signatures and about their need and utility in day-to-day life."

Adoption rates may be slow but the next couple of years are expected to see a rise in the usage of cryptography. Raman of Microland says, "There were few takers for credit cards five years ago but now their usage has taken off in a big way." He expects the same to happen with digital signatures and cryptography as well.

Taxation of e-commerce transactions is hampering widespread usage of digital signatures and certificates. K Vaitheeswaran, vice-president at Fabmall says, "Unlike in the US where all e-commerce transactions are tax-free, we have to pay tax on every transaction in India. Tax varies from product to product. This is a major issue that discourages vendors from venturing into e-commerce in India. That, in turn, leads to lower growth of digital signatures and certificates."

Any way you look at it, digital certification is in a primitive stage in India. Acceptance will come only if Internet commerce takes off big time or if companies start seeing the benefits of using digitally signed documents to reduce the paper trail.