Faq | Pantagon Sign Securities Pvt. Ltd.

Asked & Questions

Class 2 & Class 3 Individual

Should individual's signature and encryption certificate be different?

Ans. Yes, The signature and encryption certificate should be separate for an individual. The encryption keys are to be generated at the subscriber's system and should be archived prior to transfer into crypto-medium. The signature keys should be generated in the crypto-medium and should not be copied.

Does one require multiple certificates for different application?

Ans. No, Ideally, there should not be any requirement for different certificates, however the person holding lower assurance Class 2 certificate may require higher assurance Class 3 certificates for application which demand the same. The higher assurance Class 3 certificates can be used where ever application requires lower assurance certificate. Apart from assurance, depending on the information included in the DSC additional certificate may be required.

Class 2 & Class 3 Organization

Whether a person is allowed to take multiple certificates from different CAs?

Ans. Yes

Should individual's signature and encryption certificate be different?

What are the different classes of Digital Signature Certificates?

Ans. Class 1 : The verification requirements are
(i) Aadhaar
(ii) paper based application form and supporting documents
(iii) Forward message notification + Video Verification. The Private Key generation and storage can be in software.

Class 2 : The verification requirements are
(i) Aadhaar
(ii) Paper based application form and supporting documents
(iii) Forward message notification + Video Verification . The Private Key generation and storage should be in Hardware.

Class 3 : The verification requirements are
(i) Aadhaar
(ii) Paper based application form and supporting documents and (physical personal appearance before CA or Video verification)
(iii) Forward message notification+ Video Verification . The Private Key generation and storage should be in Hard ware cryptographic device validated to FIPS 140-2 level 2

Whether the same class and/or type of certificates issued by one CA can be different from
that issued by another CA?

Ans. No. The same class and/or type of certificates issued by all CAs have the same level of assurance and trust.India PKI follows a Hierarchical PKI model where Root CA certifies CA and CA in turn certifies the subscriber. The India PKI Certificate Policy is applicable to the entire eco-system of CA certificate, subscriber's certificates and key storage medium. The method of verification prior to issuance of same assurance level certificate is as per the IVG. Similarly, the content format and storage medium for all certificates issued by all Licensed CAs are as per Interoperability Guidelines for DSC and X.509 Certificate Policy for India PKI. There is no difference in the certificates of same class and type issued by different CAs. The price of the certificate may however vary from CA to CA.

Whether all CAs have to mandatorily issue all classes of certificates?

Ans. No. CAs can opt out of issuance of any class of certificates at their discretion. CAs are not allowed to issue any classes of certificates to other than that specified in the India PKI CP and specifically allowed by CCA

DSC Management

If a person is transferred from one post to another, the digital signature will also change?

Ans. Yes. On moving from one department to another, if the procedure in place so demands then the existing Digital Signature Certificate will be revoked and a new one will be required to be issued.

Why is it important that custody of Hardware Cryptographic Device containing the signature creation
data should only be with subscriber?

Ans. After the issuance of DSC to subscriber by CA, any signature created using the device and verifiable through this DSC is deemed as subscriber's signature.

Whether Class 3 individual Digital Signature Certificates can be used where class 2 individual Digital Signature
Certificates is a requirement?

Ans. Yes.

Whether the same class and/or type of certificates issued by one CA can be different
from that issued by another CA?

Ans. Yes.

DSC for Organisational person

Whether Digital Signature certificate & signing keys of an employee can be retained by organisation upon
the subscribers exiting the organisation?

Ans. No. The Digital Signature Certificate should be revoked and keys should be destroyed by the subscriber.

Whether Document Signer Certificate can be treated as organisational certificate.

Ans. The document signer certificate is issued for use with the software of an organisation for automated authenticated response. Document signer certificate is not a replacement for the signature of the authorised signatory of the organisation.

Digital Signatures are available in different Classes where as individual's ink signature is unique? How an organisation decides the appropriate signature for their application?

Ans. Organisation has to see assurance levels of DSC as indicated by its class. If organization is not competent to decide the Class of the DSC required for their application, a Risk Analysis may be carried out through empanelled auditors of Cert-IN or CCA and a recommendation may be obtained.

Digital Signature

Whether CAs will have information on the signature carried out by subscribers?

Ans. CAs will not have any information on the signatures applied by the subscribers after the issuance of DSC. The application owners or subscribers themselves can keep records of the signature affixed by them.

Whether my signature will be valid after the expiry of certificate?

Ans. Signatures are to be verified with respect to signature affixing time. If the certificate is valid at the time of signature, the signature is deemed to be valid.

Is there a Specimen Digital Signature like paper signature?

Ans. No. The Digital signature changes with content of the message.

Whether it is possible to sign an electronic record without the knowledge of a signer?

Ans. It depends upon the how the subscriber has kept his private keys. If private key is not stored securely, then it can be misused to sign an electronic record without the knowledge of the owner of the private key.It depends upon the how the subscriber has kept his private keys. If private key is not stored securely, then it can be misused to sign an electronic record without the knowledge of the owner of the private key.

In paper world, date and the place where the paper has been signed is recorded and court proceedings are followed on that basis. What mechanism is being followed for dispute settlements in the case of digital signatures?

Ans. Under the IT Act, 2000 Digital Signatures are at par with hand written signatures. Therefore, similar court proceedings will be followed. The requirements of recording of date and time can be addressed through Time Stamping.

What are the signature types allowed as per the existing standards?

Ans. RSA Signature Algorithms with SHA2 Hashing Algorithms ECDSA Signature Algorithms with SHA2 Hashing Algorithms and NIST Curve p-256. (For details ref Digital Signature 2019 and also Interoperability Guidelines for DSC.

Signature Verification

Where can I find the verification method to be followed in the rules and Guidlines?

Ans. The procedure for verification of signature is specified in Digital Signature 2019 and also in Annexure IV Application Developer Guidelines of Interoperability Guidelines for DSC (CCA-IOG).

For verification of Digital Signature of any individual, whether I need the certificates of the signer
and the issuing CA?

Ans. Yes. Signer's certificate and the complete issuer chain of certificates up to the Root certificate are required. The chain may either be part of Digital Signature or be made available to the verifier by the application service provider. Microsoft products carry Root Certificate of India. If not present locally in the verification system, it can be downloaded from http://cca.gov.in. In the case of application based verification, applications need to make available the Root Certificate to the verification component.

How can a digitally signed document be verified after the DSC associated with the Public Key has expired?

Ans. The digital signature verification process for a document requires the signer's public key, issuer certificates and their CRLs. CA will make available the issuer certificates and CRLs till the expiry of DSCs. For the requirements of verification beyond expiry of DSCs, the application should therefore have a provision to locally store DSCs issuer certificate and their CRL's at the time when the document was digitally signed.To enable the verification of documents long time after the affixing of signature, it is recommended to use long term archival signature format for the signature

Certifying Authority

What is the role of RA in the DSC issuance process?

Ans. RA interacts with the DSC applicants for collection of documents and help them for submission of DSC application and in some cases for obtaining and using hardware Crypto device. CAs are responsible for verification and issuance of DSC to applicant. The responsibilities of an organisational RA are different from these of an RA which deals with individuals claiming no organisational affiliation.

What happens if a CA goes out of business? What happens to earlier transactions? Does this not create a
legal and financial problem?

Ans. Prior to cessation of operations the CA has to follow procedures as laid down under the IT Act. The CA needs to revoke all the valid certificates prior to its closure. The subscriber has to get a new Digital Signature Certificate from other Licensed CA. Signature carried out by subscriber prior to the revocation of his certificate will remain valid. The signatures are validated with respect to validity of certificate at the time of affixing of signature.

Whether it is mandatory for CAs to keep the DSC application form for 7 years after expiry of DSC?

Ans. Yes