Raise a Support Ticket? Click Here         Helpdesk: +91 9892560909
FAQ
Class 2 & Class 3 Individual

Yes, The signature and encryption certificate should be separate for an individual. The encryption keys are to be generated at the subscriber's system and should be archived prior to transfer into crypto-medium. The signature keys should be generated in the crypto-medium and should not be copied.

No, Ideally, there should not be any requirement for different certificates, however the person holding lower assurance Class 2 certificate may require higher assurance Class 3 certificates for application which demand the same. The higher assurance Class 3 certificates can be used where ever application requires lower assurance certificate. Apart from assurance, depending on the information included in the DSC (For example PAN Number may be required by application) additional certificate may be required.

Class 2 & Class 3 Organization

Yes

Yes, The signature and encryption certificate should be separate for an individual. The encryption keys are to be generated at the subscriber's system and should be archived prior to transfer into crypto-medium. The signature keys should be generated in the crypto-medium and should not be copied.

Class 1 : The verification requirements are (i) Aadhaar eKYC Biometric or (ii) paper based application form and supporting documents or (iii) Aadhaar eKYC OTP + Video Verification. The Private Key generation and storage can be in software.

Class 2 : The verification requirements are (i) Aadhaar eKYC Biometric or (ii) Paper based application form and supporting documents or (iii) Aadhaar eKYC OTP + Video Verification . The Private Key generation and storage should be in Hardware cryptographic device validated to , FIPS 140-2 level 2.

Class 3 : The verification requirements are (i) Aadhaar eKYC Biometric or (ii) Paper based application form and supporting documents and (physical personal appearance before CA or Video verification) or (iii) Aadhaar eKYC OTP + Video Verification . The Private Key generation and storage should be in Hard ware cryptographic device validated to FIPS 140-2 level 2

Aadhaar e-KYC-OTP: The verification requirement is Aadhaar eKYC OTP.

Aadhaar e-KYC-Biometric: The verification requirement is Aadhaar eKYC Biometric.

For more details please refer to section 1.3.5 of X.509 Certificate Policy for India PKI(CCA-CP)

No. The same class and/or type of certificates issued by all CAs have the same level of assurance and trust.India PKI follows a Hierarchical PKI model where Root CA certifies CA and CA in turn certifies the subscriber. The India PKI Certificate Policy is applicable to the entire eco-system of CA certificate, subscriber's certificates and key storage medium. The method of verification prior to issuance of same assurance level certificate is as per the IVG. Similarly, the content format and storage medium for all certificates issued by all Licensed CAs are as per Interoperability Guidelines for DSC and X.509 Certificate Policy for India PKI. There is no difference in the certificates of same class and type issued by different CAs. The price of the certificate may however vary from CA to CA.

No. CAs can opt out of issuance of any class(es) of certificates at their discretion. CAs are not allowed to issue any classes of certificates to other than that specified in the India PKI CP and specifically allowed by CCA

DSC Management

Yes. On moving from one department to another, if the procedure in place so demands then the existing Digital Signature Certificate will be revoked and a new one will be required to be issued.

After the issuance of DSC to subscriber by CA, any signature created using the device and verifiable through this DSC is deemed as subscriber’s signature.

Yes

Yes.

DSC for Organisational person

No. The Digital Signature Certificate should be revoked and keys should be destroyed by the subscriber.

The document signer certificate is issued for use with the software of an organisation for automated authenticated response. Document signer certificate is not a replacement for the signature of the authorised signatory of the organisation.

Organisation has to see assurance levels of DSC as indicated by its class. If organization is not competent to decide the Class of the DSC required for their application, a Risk Analysis may be carried out through empanelled auditors of Cert-IN or CCA and a recommendation may be obtained.

No. The keys corresponding to Class 2 and Class 3 certificates are to be mandatorily stored in FIPS 140-2 level 2 validated crypto Token which is in the custody of the subscriber. The requirements for the storage of key pairs of subscribers are not in full compliance when using HSM for Class 2 and Class 3 certificates. However only a single user can store his/her keys in HSM

Digital Signature

CAs will not have any information on the signatures applied by the subscribers after the issuance of DSC. The application owners or subscribers themselves can keep records of the signature affixed by them.

Aadhaar eKYC based authentication provides the electronic identity of an individual at a particular point of time. It cannot be used at later point of time to authenticate documents or transactions, whereas the Digital Signature provides the electronic authentication of individual and bind it to the documents or transactions being signed. The intention of signatory for a particular transaction or document can be conveyed in a verifiable form at any point of time in the future only by using electronic signature. Such Digital signature applied by individuals can be verified independently using software. As per IT Act, the electronic records need to be authenticated by using Electronic Signature.

Signatures are to be verified with respect to signature affixing time. If the certificate is valid at the time of signature, the signature is deemed to be valid.

No. The Digital signature changes with content of the message.

It depends upon the how the subscriber has kept his private keys. If private key is not stored securely, then it can be misused to sign an electronic record without the knowledge of the owner of the private key.It depends upon the how the subscriber has kept his private keys. If private key is not stored securely, then it can be misused to sign an electronic record without the knowledge of the owner of the private key.

Under the IT Act, 2000 Digital Signatures are at par with hand written signatures. Therefore, similar court proceedings will be followed. The requirements of recording of date and time can be addressed through Time Stamping.

RSA Signature Algorithms with SHA2 Hashing Algorithms ECDSA Signature Algorithms with SHA2 Hashing Algorithms and NIST Curve p-256. (For details ref Digital Signature (End entity rules) 2015 and also Interoperability Guidelines for DSC (CCA-IOG)

Signature Verification

The procedure for verification of signature is specified in Digital Signature (End entity rules) 2015 and also in Annexure IV Application Developer Guidelines of Interoperability Guidelines for DSC (CCA-IOG).

Yes. Signer's certificate and the complete issuer chain of certificates up to the Root certificate are required. The chain may either be part of Digital Signature or be made available to the verifier by the application service provider. Microsoft products carry Root Certificate of India. If not present locally in the verification system, it can be downloaded from http://cca.gov.in. In the case of application based verification, applications need to make available the Root Certificate to the verification component.

The digital signature verification process for a document requires the signer’s public key, issuer certificates and their CRLs. CA will make available the issuer certificates and CRLs till the expiry of DSCs. For the requirements of verification beyond expiry of DSCs, the application should therefore have a provision to locally store DSCs issuer certificate and their CRL’s at the time when the document was digitally signed.To enable the verification of documents long time after the affixing of signature, it is recommended to use long term archival signature format for the signature

Certifying Authority

RA interacts with the DSC applicants for collection of documents and help them for submission of DSC application and in some cases for obtaining and using hardware Crypto device. CAs are responsible for verification and issuance of DSC to applicant. In the case of Aadhaar eKYC based identity verification CA may use RA service for facilitating the same. The responsibilities of an organisational RA are different from these of an RA which deals with individuals claiming no organisational affiliation.

Prior to cessation of operations the CA has to follow procedures as laid down under the IT Act. The CA needs to revoke all the valid certificates prior to its closure. The subscriber has to get a new Digital Signature Certificate from other Licensed CA. Signature carried out by subscriber prior to the revocation of his certificate will remain valid. The signatures are validated with respect to validity of certificate at the time of affixing of signature.

CAs are allowed to create a Sub-CA under the CA certified by Controller. However these Sub-CAs are only technical arrangements within the same CA infrastructure for management purpose. Sub-CAs are not independent legal entities.

In PKCS #10 format

Yes

Issuance of DSC to Foreign Nationals

Yes, The procedure to be followed by CAs in respect of verification of Foreign Nationals is available in the section 3 of Identity Verification Guidelines (CCA-IVG)