LAW OF DIGITAL SIGNATURES IN INDIA
Vijay Pal Dalmia
Digital Economy /Crypto/ Web 3.0/ Start Up/ Business/ Criminal Defense/ AML-PMLA/IPR Lawyer with 36+ years of experience helping businesses do business in India; Blockchain, Crypto, Web 3.0; AML, Contracts
A digital signature is a cryptographic technique used to validate the authenticity and integrity of digital messages, documents, or software. It provides a way for the recipient to verify that the sender is who they claim to be and that the content has not been altered since it was signed.
Section 2(1)(p) of the Information Technology Act, 2000 (India): "Digital Signature" means authentication of any electronic record by a subscriber by means of an electronic method or procedure in accordance with the provisions of Section 3.
VALIDITY OF DIGITAL SIGNATURE
·??????? The Information Technology Act, 2000 defines digital signature as “authentication of any electronic record by a subscriber by means of an electronic method or procedure in accordance with the provisions of section 3[1]”. To ensure the security and authenticity of documents filed electronically, the Information Technology Act, 2000 contains provisions for the use of digital signatures on those documents.
·??????? Section 5 of the IT Act gives legal recognition to digital signatures based on asymmetric cryptosystems.
·??????? Each Digital Signature is enabled using a Digital Signature Certificate and contains a unique private and public key pair that serves as the identity of an individual.?
·??????? Certification Agencies are appointed by the office of the Controller of Certifying Authority (CCA) to issue Digital Signature Certificate (DSC) as per Sec 35 of IT Act, 2000.
?
How it is created:
Digital signatures are created using asymmetric cryptography, also known as public-key cryptography. The process involves generating a pair of cryptographic keys: a private key and a public key. The private key is kept secret and known only to the signer, while the public key is shared with others. The digital signature is created by applying a mathematical algorithm to the content being signed and the signer's private key.
How it works:
When a digital signature is created, it is attached to the digital document or message. To verify the signature, the recipient uses the signer's public key to decrypt the signature and compare it to a computed value based on the original content. If the two values matches, the signature is considered valid, indicating that the document has not been altered and was indeed signed by the holder of the private key.
Who gives Digital signature:
Digital signatures are typically issued by a trusted third-party organization known as a Certificate Authority (CA). These entities verify the identity of individuals or organizations applying for digital signatures and issue digital certificates, which contain the public key and other identifying information.
Section 24(1) of the Information Technology (Certifying Authorities) Rules, 2000 (India): No person shall issue a Digital Signature Certificate unless he has been granted a license to do so by the Controller.
Procedure for issuance of DSC:
Section 35. Certifying authority to issue [electronic signature] Certificate. –
(1) Any person may make an application to the Certifying Authority for the issue of a [electronic signature] Certificate in such form as may be prescribed by the Central Government.
(2) Every such application shall be accompanied by such fee not exceeding twenty-five thousand rupees as may be prescribed by the Central Government, to be paid to the Certifying Authority: Provided that while prescribing fees under sub-section (2) different fees may be prescribed for different classes of applicants.
?(3) Every such application shall be accompanied by a certification practice statement or where there is no such statement, a statement containing such particulars, as may be specified by regulations.
(4) On receipt of an application under sub-section (1), the Certifying Authority may, after consideration of the certification practice statement or the other statement under sub-section (3) and after making such enquiries as it may deem fit, grant the [electronic signature] Certificate or for reasons to be recorded in writing, reject the application:
?[Provided] that no application shall be rejected unless the applicant has been given a reasonable opportunity of showing cause against the proposed rejection.
Section 23. Digital Signature Certificate.— The Certifying Authority shall, for issuing the Digital Signature Certificates, while complying with the provisions of section 35 of the Act, also comply with the following, namely:- (a) the Digital Signature Certificate shall be issued only after a Digital Signature Certificate application in the form provided by the Certifying Authority has been submitted by the subscriber to the Certifying Authority and the same has been approved by it: Provided that the application Form contains, inter alia, the particulars given in the modal Form given in Schedule-IV;
(b) no interim Digital Signature Certificate shall be issued;
(c) the Digital Signature Certificate shall be generated by the Certifying Authority upon receipt of an authorised and validated request for:- (i) new Digital Signature Certificates; (ii) Digital Signature Certificates renewal;
(d) the Digital Signature Certificate must contain or incorporate, by reference such information, as is sufficient to locate or identify one or more repositories in which revocation or suspension of the Digital Signature Certificate will be listed, if the Digital Signature Certificate is suspended or revoked;
(e) the subscriber identity verification method employed for issuance of Digital Signature Certificate shall be specified in the Certification Practice Statement and shall be subject to the approval of the Controller during the application for a licence;
(f) where the Digital Signature Certificate is issued to a person (referred to in this clause as a New Digital Signature Certificate) on the basis of another valid Digital Signature Certificate held by the said person (referred in this clause as an Originating Digital Signature Certificate) and subsequently the originating Digital Signature Certificate has been suspended or revoked, the Certifying Authority that issued the new Digital Signature Certificate shall conduct investigations to determine whether it is necessary to suspend or revoke the new Digital Signature Certificate;
(g) the Certifying Authority shall provide a reasonable opportunity for the subscriber to verify the contents of the Digital Signature Certificate before it is accepted;
(h) if the subscriber accepts the issued Digital Signature Certificate, the Certifying Authority shall publish a signed copy of the Digital Signature Certificate in a repository;
(i) where the Digital Signature Certificate has been issued by the licensed Certifying Authority and accepted by the subscriber, and the Certifying Authority comes to know of any fact, or otherwise, that affects the validity or reliability of such Digital Signature Certificate, it shall notify the same to the subscriber immediately;
?(j) all Digital Signature Certificates shall be issued with a designated expiry date.[2]
?
Validity of DSC: The DSCs are typically issued with one year validity and two-year validity. These are renewable on expiry of the period of initial issue.
Classes of DSC: There are mainly three classes of?Digital Signature Certificate
???????? i.????????? Class 1 Certificate: issued to individuals/private subscribers. These certificates confirm that user's name (or alias) and E-mail address form an unambiguous subject within the Certifying Authorities database.
?????? ii.????????? Class 2 Certificate: issued for both business personnel and private individuals use. These certificates confirm that the information in the application provided by the subscriber does not conflict with the information in well-recognized consumer databases.
????? iii.????????? Class 3 Certificate: issued to individuals as well as organizations. As these are high assurance certificates, primarily intended for e-commerce applications, they shall be issued to individuals only on their personal (physical) appearance before the Certifying Authorities.
?
Types of DSC
?????? i.????????? Individual Digital Signature Certificates (Signing Certificates): Individual Certificates identify a person. These certificates can be used for signing electronic documents and emails and implementing enhanced access control mechanisms for sensitive or valuable information.
????? ii.????????? Server Certificates: Server Certificates identify a server. certificates are used for 1 way or 2-way SSL to ensure secure communication of data over the network.?
??? iii.????????? Encryption Certificates: Encryption Certificates are used to encrypt the message. The Encryption Certificates use the Public Key of the recipient to encrypt the data so as to ensure data confidentiality during transmission of the message. Separate certificates for signatures and for encryption are available from different CAs.
?
Documents On Which eSign Is Invalid
According to Section 1(4) of the IT Act, 2000 shall not apply to documents or transactions specified in the First Schedule. Thus, digital signature does not apply to the documents contained in the first schedule. The documents covered under the First Schedule are as follows:
1. A negotiable instrument (other than a cheque) as defined in section 13 of the Negotiable Instrument Act, 1881 (26 of 1881).
2. A power-of-attorney as defined in section 1A of the Powers-of-Attorney Act, 1882 (7 of 1882).
3. A trust as defined in section 3 of the Indian Trust Act, 1882 (2 of 1882).
4. A will as define in clause (h) of section 2 of the Indian Succession Act, 1925 (39 of 1925), including any other testamentary disposition by whatever name called.
5. Any contract for the sale or conveyance of immovable property or any interest in such property
Whether Digital signature given by any agency or if yes then what:
Yes, digital signatures are provided by Certificate Authorities (CAs). These CAs may be private companies, government agencies, or other trusted organizations authorized to issue digital certificates.
Does any international agency have any play in digital signature or like is it given by an international agency:
There is no single international agency responsible for issuing digital signatures. However, there are international standards and guidelines, such as those developed by the International Organization for Standardization (ISO), which provide frameworks for the implementation and interoperability of digital signature systems across different countries and regions.
?
Public key:
A public key is a cryptographic key that is shared publicly and used to verify digital signatures or encrypt data. It is part of a key pair generated in asymmetric cryptography, where the public key is derived from the private key. The public key is used by others to encrypt messages intended for the holder of the corresponding private key or to verify digital signatures created with that private key.
Empanelled-digital signature:
An empanelled digital signature refers to a digital signature issued by a Certificate Authority (CA) that has been approved or accredited by a government or regulatory authority. These empanelled CAs meet specific criteria and standards set by the governing body and are authorized to issue digital certificates for use in various applications, including government transactions, legal documents, and financial transactions.
Landmark Judgments:
One of the landmark judgments related to digital signatures is the case of State of Maharashtra v. Dr. Praful B. Desai (2003). In this case, the Supreme Court of India upheld the validity of digital signatures and electronic records under the Information Technology Act, 2000. The court emphasized the importance of digital signatures in facilitating electronic transactions and recognized them as legally valid means of authentication. This judgment played a significant role in establishing the legal framework for electronic commerce in India and set a precedent for the acceptance of digital signatures in legal proceedings.
领英推荐
In the case of Trimex International FZE Ltd. vs. Vedanta Aluminum Ltd. and Ors. (2010), the Delhi High Court emphasized the importance of digital signatures in electronic transactions. The court held that digital signatures, when used in compliance with the provisions of the Information Technology Act, 2000, carry the same legal validity as handwritten signatures. This ruling underscored the significance of digital signatures in ensuring the authenticity and integrity of electronic documents and transactions.
In Shamsher Singh & Ors. v. State of Punjab (1974), the Supreme Court of India held that a signature affixed by a rubber stamp would be considered a valid signature if it is intended to authenticate the document in question. This ruling highlights the principle that the validity of a signature depends on the intention of the signatory to authenticate the document.
The case of United States v. John Hancock Mutual Life Insurance Co. (1978) is a landmark case in the United States concerning the legal validity of electronic signatures. The court ruled that electronic signatures could satisfy the signature requirement under the Electronic Signatures in Global and National Commerce Act (ESIGN Act) if they meet certain criteria, including being “attributable to a person” and “logically associated with the record.”
In Taylor v. Caldwell (1863), the English Court of Queen’s Bench held that the doctrine of frustration applies to contracts in cases where performance becomes impossible due to the occurrence of an unforeseen event. This ruling established the principle that parties to a contract may be excused from performance if the contract becomes impossible to perform through no fault of their own. While not directly related to digital signatures, this case underscores the broader legal principles of contract law that may apply to electronic transactions.
Authentication of Electronic Records:
- A subscriber (a person in whose name an electronic signature Certificate is issued) may authenticate an electronic record by affixing their digital signature using the asymmetric crypto system and hash function - Section 3 of the IT Act.
- A subscriber may authenticate an electronic record by affixing their electronic signature or electronic authentication technique that is reliable and specified in the 2nd Schedule of the IT Act - Section 3A of the IT Act.
?
Legal Recognition under the IT Act:
- Electronic records are functionally equivalent to records available in writing or in typewritten or printed form, provided such electronic records are accessible for subsequent reference - Section 4 of the IT Act.
- Electronic signatures, including digital signatures, are functionally equivalent to physical signatures - Section 5 of the IT Act.
- Electronic records and electronic signatures used by the Government in its regular transactions are functionally equivalent to records and signatures available in physical form - Section 6 of the IT Act.
Presumptions to Electronic Records, Electronic Signatures, and ESCs:
- An electronic record is deemed to be a document and is therefore admissible – Section 65B read with Section 65A of the Indian Evidence Act (IEA), 1872.
- In the case of Anvar P. V v. P. K. Basheer (2014), a Division Bench of the Supreme Court held that the safeguards stipulated under Section 65B of the Indian Evidence Act ensure that the source and authenticity of electronic records are reliable. Without such safeguards, any trial based on the proof of electronic records might vitiate justice.
- The Court shall presume that an electronic signature in an electronic agreement is valid – Section 85A of the Indian Evidence Act.
- In any proceeding involving a secure electronic record, the Court shall presume that the secure electronic record has not been altered up to the point in time to which the secure status relates. Additionally, in any proceeding involving a secure digital signature, the Court shall presume that such signature is affixed by the subscriber with the intention of signing/approving the electronic record – Section 85B of the Indian Evidence Act.
- The Court shall presume that the information listed in an ESC is correct except for information specified as subscriber information that is not verified – Section 85C of the Indian Evidence Act.
?It can be said that except in the case of a secure electronic signature, if the electronic signature of any subscriber is alleged to have been affixed to an electronic record, the fact that such electronic signature is that of the subscriber must be proved – Section 67A of the Indian Evidence Act.
- To ascertain whether a digital signature belongs to a particular person, the Court may direct
(a) the person or the Controller or the Certifying Authority to produce the DSC
(b) any other person to apply the public key listed in the DSC and verify the digital signature claimed to have been affixed by that person – Section 73A of the Indian Evidence Act.
Evidentiary value
The Indian Evidence Act of 1872 was amended to conform to the electronic methods of document execution.
·??????? The Indian Evidence Act, 1872 u/s 65A recognises the admissibility of electronic records as evidence.
·??????? Any information stored electronically that can be printed on paper, stored, recorded, or copied in optical or magnetic media produced by a computer shall be deemed to be a document and shall be admissible in any proceeding, without further proof or production of the original, as evidence of any contents of the original or of any fact, according to Section 65B, which also provides for the acceptance of electronic evidence. In addition, section 65B(4) mandates the presentation of a certificate that certifies the electronic record containing the statement and specifies how it should be presented.
·??????? According to Section 73A of the Evidence Act of 1872, the Court may order a person, the Controller, the Certifying Authority, or any other person to use the public key listed in the digital signature certificate and verify the digital signature that is purported to have been affixed by that person in order to determine whether the digital signature is actually that of that person.
·??????? According to Section 47A of the Evidence Act of 1872, when the Court is required to express an opinion regarding an individual's electronic signature, the opinion of the certifying authority that issued the electronic signature certificate is a relevant fact.
·??????? As per Section 85B(2) unless proven otherwise, the Court will presume that (a) the secure electronic signature was affixed by the subscriber with the intent of signing or approving the electronic record; and (b) except in the case of a secure electronic record or a secure electronic signature, nothing in this section shall create any presumption regarding the authenticity and integrity of the electronic record or any electronic signature.
·??????? Section 85C 1872 provides that if a digital signature is affixed to a particular document, then the court shall presume that such document is true and correct.
?
Suspension and Revocation of DSCs:
- A Digital Signature Certificate (DSC) may be suspended by the Certifying Authority (CA) if (a) the subscriber of the DSC or anyone on his/her behalf requests for a suspension (b) it is of the opinion that such a suspension would be in the public interest – Section 37 of the IT Act.
- A DSC may be revoked by the CA if (a) the subscriber of the DSC or anyone on his/her behalf requests for a revocation (b) the subscriber dies or becomes insolvent (c) the subscriber (where such subscriber is a firm/company) is dissolved or wound up (d) a material fact represented in the DSC has been concealed or is false (e) the requirement for issuing the DSC was not satisfied (f) the CA’s private key/security system was compromised – Section 38 of the IT Act.
Whether a contract which is executed by a signatory, who is a Foreign National and does not have Aadhar, and therefore he has not verified his identity accordingly, be enforced before the Indian court if proceedings based on such contracts based on initiated in India?
If a contract signed by a foreign national without Aadhar is challenged in an Indian court, the court will likely assess the following:
1. Intent of the Parties: The court will examine whether both parties entered the contract willingly and with full understanding of its terms and implications.
2. Verification Procedures: The court may consider whether alternative methods of identity verification were employed and whether they were deemed sufficient at the time of contract execution.
3. Legal Requirements: The court will assess whether the contract complies with other legal requirements besides identity verification, such as capacity to contract, legality of the subject matter, and absence of coercion or fraud.
4. International Treaties and Agreements: If the contract involves a foreign national, the court may consider any relevant international treaties or agreements that could impact the enforcement of the contract.
5. Public Policy Considerations: The court will evaluate whether enforcing the contract aligns with public policy objectives and whether doing so would result in any injustice or harm.
Ultimately, the enforceability of the contract will be determined by the Indian court based on a thorough examination of all relevant factors and applicable laws so, when determining the enforceability of a contract before an Indian court, several factors are considered:
1. Validity of the Contract: The contract must meet the essential elements of a valid contract under Indian contract law, including offer, acceptance, consideration, intention to create legal relations, capacity to contract, free consent, lawful object, and lawful consideration.
2. Compliance with Indian Laws: The contract must comply with Indian laws, regulations, and public policy. Any provisions that contravene Indian law or public policy may render the contract unenforceable.
3. Jurisdiction: The Indian court must have jurisdiction over the subject matter of the contract, or the parties involved. Jurisdictional issues can arise if the contract involves parties located outside of India or if the subject matter has connections to multiple jurisdictions.
4. Verification of Identity: While Aadhar verification is not mandatory for contract enforcement, the court may consider the verification of the signatory's identity as part of the evidence presented. Lack of Aadhar verification may affect the evidentiary value of the signatory's identity but may not necessarily render the contract unenforceable.
5. Intent of the Parties: The court will consider the intention of the parties as evidenced by the terms of the contract and their conduct. If both parties intended to be bound by the contract and acted accordingly, it strengthens the enforceability of the contract.
6. Procedural Requirements: The contract must adhere to any procedural requirements specified under Indian law, such as the manner of execution, stamp duty requirements, and registration, if applicable.
7. Public Interest: The court may also consider the public interest and fairness in enforcing the contract. Contracts that are against public policy or involve illegal activities may not be enforced.
If proceedings based on such contracts are initiated in India, the Indian court will evaluate these factors to determine the enforceability of the contract. The court's decision will depend on the specific circumstances of the case and the evidence presented by the parties involved.
By:
Vijay Pal Dalmia, Advocate
Supreme Court of India & Delhi High Court
Email id: [email protected]
Mobile No.: +91 9810081079
Linkedin: https://www.dhirubhai.net/in/vpdalmia/
Facebook: https://www.facebook.com/vpdalmia
X (Twitter): @vpdalmia
?
?
Product Marketing | Certified Scrum Master
7 个月You can try an affordable & powerful digital signature solution https://www.signedly.com/
SECRETARY GENERAL - INTERNATIONAL DIPLOMATIC MISSION AMBASSADOR AT LARGE - SPMUDA INTERNATIONAL
8 个月Great read