Digital Signature & Indian IT Act 2000
With highest respect for the esteemed Parliament that passed the IT Act 2000 and HE the Hon. President of India, who approved the same, here are some truths that might shock you.
Alice's digital signature does not prove that Alice signed the message, only that her private key did. When writing about non-repudiation, cryptographic theorists often ignore a messy detail that lies between Alice and her key: her computer. If her computer were appropriately infected, the malicious code could use her key to sign documents without her knowledge or permission. Even if she needed to give explicit approval for each signature (e.g., via a fingerprint scanner), the malicious code could wait until she approved a signature and sign its own message instead of hers. If the private key is not in tamper-resistant hardware, the malicious code can just steal the key as soon as it's used.
While it is legitimate to ignore such details in cryptographic research papers, it is just plain wrong to assume that real computer systems implement the theoretical ideal. Our computers may contain viruses. They may be accessible to passers-by who could plant malicious code or manually sign things with our keys. Should we then need to deny some signature, we would have the burden of proving the negative: that we didn't make the signature in question against the presumption that we did.
The main risk in believing this popular falsehood stems from the cryptographic concept of ``non-repudiation''.
Public-key infrastructure has been oversold as the answer to many network security problems. We discuss the problems that PKI doesn't solve, and that PKI vendors don't like to mention.
Worst of all is if a country's laws are made to make you liable (legally ) if your private key is used to sign a document! (See S 42 IT Act. For the removal of doubts, it is hereby declared that the subscriber shall be liable till he has informed the Certifying Authority that the private key has been compromised.)
Inspite of the "Controller of Certifying Authority" and the CA certifying the digital signature, the total risks involved and the financial injury sufferred by the citizen in accepting the digital signature is entirely with the person accepting the digital signature and NOT with the CA or CCA even if it was proved that it was due the mistake of the CA or CCA. (This requires a detailed future post.)
That is what Indian IT Act 2000 does, i.e fixes the liability on the one who accepts the digital signature. That is, do it at your risk! The only way to escape the misplaced legal liability is
- Never get your key certified by a Certifying Authority.
- Never get your public key published for the benefit of the public.
- Never accept digital signature for things that involve legal liability.
- This does not prevent using digital signature between two trusted friends or partners.
If this shocks you, you are not alone. There are many who will be shocked. The best service you can do them is by inviting them to this blog.
The modern day Guru of Cryptography, Bruce Schneier, will convince you how patently ill-conceived the Act is in one short essay here: Ten Risks of PKI
P.S:
- If you have not heard of Bruce Schneier, your opinions about Computer Security is not worth knowing, or perhaps dangerous. You are like the Catholic Priest who has not heard of the Pope!
- If your opinion differ from that of Bruce, one of you (you or Bruce) must be wrong. And, without much debate, you must be wrong.
- If you don't read his Schneier on Security , you better not misguide the society into believing that you are a computer security expert!
posted by CPC Nath @ 9:31 AM
1 comments
1 Comments:
The above information is quite confusing for me. I am not able to understand the legal aspects of digital signatures and what this act holds. But thanks for sharing it.
electronic signature software
Post a Comment
<< Home