Information Technology Act
Digital signatures: legitimacy and use
The Act has adopted the Public Key Infrastructure (PKI) for securing electronic transactions. A digital signature means an authentication of any electronic record by a subscriber by means of an electronic method or procedure in accordance with the other provisions of the Act. Thus a subscriber can authenticate an electronic record by affixing his digital signature. A private key is used to create a digital signature whereas a public key is used to verify the digital signature and electronic record. They both are unique for each subscriber and together form a functioning key pair. Further, the Act provides that when any information or other matter needs to be authenticated by the signature of a person, the same can be authenticated by means of the digital signature affixed in a manner prescribed by the Central Government. The Act also gives the Central Government powers:
to make rules prescribing the digital signature b) the manner in which it shall be affixed c) the procedure to identify the person affixing the signature d) the maintenance of integrity, security and confidentiality of records or
payments and rules regarding any other appropriate matters.
These signatures are to be authenticated by Certifying Authorities (CAs) appointed under the Act. These authorities would inter alia, have the license to issue Digital Signature Certificates (DSCs). The applicant must have a private key that can create a digital signature. This private key and the public key listed on the DSC must form the functioning key pair.
Once the subscriber has accepted the DSC, he shall generate the key pair by applying the security procedure. Every subscriber is under an obligation to exercise reasonable care and caution to retain control of the private key corresponding to the public key listed in his DSC. The subscriber must take all precautions not to disclose the private key to any third party. If however, the private key is compromised, he must communicate the same to the Certifying Authority (CA) without any delay.