AADHAAR GUIDELINES ON E-SIGN

The Information and Technology Act (IT Act) provides the basic legal and administrative framework for e-commerce and promotes its growth by creating trust in the electronic environment. According to section 4 of the Act, where any law requires that the information or any other matter shall be authenticated by affixing signature then notwithstanding anything contained in the law, such requirement shall be deemed to be fulfilled if such information is authenticated by means of electronic signatures affixed in a manner prescribed by the Central Government. The Second Schedule of the IT Act recognises a legally accepted method of secure e-sign. The Act keeps e-sign on equal footing with the traditional signature. Moreover, e-sign is a technically and legally far more secure way of signing a document than the traditional techniques.

E-sign is regulated by the Controller of Certifying Authority, Ministry of Electronics and Information Technology, Government of India. The IT Act provides for the Controller of Certifying Authorities (CCA) to license and regulate the working of Certifying Authorities. The Certifying Authorities (CAs) issue Digital Signature Certificates (DSC) for authentication of users in cyberspace. Before issuing a DSC, Certifying Authority (CA) is required to verify the credentials of the applicant as stated in the Application Form and supporting documents. The physical presence of the individual is required for class II and III certificates.

Process of generating E-sign under UIDAI

The Unique Identification Authority of India (UIDAI) is committed to providing a Unique Identification Number (Aadhaar Number) to all the residents of India. In the e-KYC process of Aadhaar, people authorise UIDAI to provides their demographic data along with their photograph (electronic signed and encrypted) to the service provider. E-sign is created using the authentication of a consumer through Aadhaar e-KYC service. That e-sign facilitates electronically signing a document by an Aadhaar holder using an Online Service. Aadhaar ID is mandatory for availing of this service. E-sign is an integrated service that facilitates issuing a Digital Signature Certificate and performing Signing of requested data by authenticating Aadhaar holder.

The government of India issued a Gazette Notification to validate the e-authentication of Aadhaar e-KYC services by electronic or digital signature (e-sign) in 2015. However, it has also provided certain procedures required to be followed. The procedures state that the authentication of an electronic record by e-authentication technique shall be done by:

  • The applicable use of e-authentication, hash, and asymmetric cryptosystem techniques, leading to the issuance of Digital Signature Certificate by Certifying Authority
  • A trusted third-party service by subscriber's key pair-generation, storing of key pairs on hardware security module and creation of digital signature provided that the trusted third party shall be offered by the certifying authority. The trusted third party shall send application form and certificate signing request to the Certifying Authority for issuing a Digital Signature Certificate to the subscriber.
  • Issuance of Digital Signature Certificate by Certifying Authority shall be based on e-authentication, particulars specified in Form C of Schedule IV of the Information Technology (Certifying Authorities) Rules, 2000, digitally signed verified information from Aadhaar e-KYC services and electronic consent of Digital Signature Certificate applicant.
  • The manner and requirements for e-authentication shall be as issued by the Controller from time to time.
  • The security procedure for creating the subscriber’s key pair shall be in accordance with the e-authentication guidelines issued by the Controller
  • The standards referred to in rule 6 of the Information Technology (Certifying Authorities) Rules, 2000 shall be complied with, in so far as they relate to the certification function of the public key of Digital Signature Certificate applicant.
  • The manner in which information is authenticated by means of a digital signature shall comply with the standards specified in rule 6 of the Information Technology (Certifying Authorities) Rules, 2000 in so far as they relate to the creation, storage, and transmission of Digital Signature Certificate.

UIDAI states that the digital signature certificate in case of e-sign online electronic signature is issued in the following classes:

  • OTP based e-KYC – Aadhaar OTP class of certificate shall be issued for individuals are based on OTP authentication of the subscriber through Aadhaar e-KYC.
  • Biometric-based e-KYC – The certificate shall be issued based on biometric authentication of the subscriber through Aadhaar e-KYC service.

The following guidelines are provided by the UIDAI to validate e-sign:

  • Right click on the ‘validity unknown’ icon and click on ‘Validate Signature’
  • You will get the signature validation status window, click on 'Signature Properties'
  • Click on 'Show Certificate’
  • Verify that there is a certification path named 'NIC sub-CA for NIC 2011, National Informatics centre'. This identifies 'NIC sub-CA for NIC 2011, National Informatics centre' as the owner of the digital certificate that has been used when signing the document
  • Mark the certification path named 'NIC sub-CA for NIC 2011, National Informatics centre', click the 'Trust' tab and then 'Add to Trusted Identities'
  • Answer 'OK' to any security question that follows
  • Check (✔) the field for 'Use this certificate as a trusted root' and click 'OK' twice to close this and the next window
  • Click 'Validate Signature' to execute the validation

Note: - Once 'NIC sub-CA for NIC 2011, National Informatics centre' has been as a Trusted Identity, any subsequent documents with digital signatures from CCA will be validated automatically when opened.

It is clear till now that though methods of e-sign are different from traditional hand-written signature nevertheless both have the same evidentiary value. However, it must be noted that e-sign is more secure than the traditional sign due to the complexities attached to it. After getting legal recognition from the IT Act, e-sign has been very conveniently adopted by institutions like RBI, SEBI, NCPI, etc. E-sign provides an efficient and more secure way to do business in the market. At the same time, people are also expected to be aware of the know-how of using e-sign to avoid any fraud.

Scalability of E-Sign

E-sign provides users the ability to digitally sign electronic documents resulting in a hassle-free fully paperless service. The following are the features of e-sign:

  • An Aadhaar holder can sign a document with Aadhaar Biometric/ OTP authentication requiring no physical device or paper-based application forms or documents
  • Authentication of the signer is carried out using e-KYC of Aadhaar and the signature on the document is carried out on a backend server of the e-Sign provider
  • The service can be run by a trusted third-party service provider - To begin with, the trusted third-party service shall be offered only by Certifying Authorities
  • The e-Sign facilitates issuing a Signature Certificate and performing Signing of requested data by authenticating Aadhaar holder
  • The certificate issued through e-Sign service will have a limited validity period and is only for the one-time signing of requested data, in a single session
  • This service authenticates the person, does Aadhaar e-KYC, and then electronically signs the input within the e-Sign provider backend. Such a scheme allows DSC to be scaled massively and allow many 3rd party applications to use the service via an open API and integrate DSC into their application