Currently, many applications or forms submitted by a citizen require physical signature of the citizen. A digital signature takes the concept of traditional paper-based signing and turns it into an electronic "fingerprint." This "fingerprint," or coded message, is unique to both the document and the signer and binds them together. In short, a digital signature has the same function as that of a handwritten signature. Some of the salient features of digital signature are non-repudiation, integrity and authenticity. The Information Technology Act 2000 provides the required legal sanctity to digital signatures based on asymmetric crypto systems.
Government of India vide its Gazette Notification (REGD. NO. D. L.-33004/99 dated 28th January 2015) has announced a method that facilitates Certifying Authority to offer e-Sign service to citizens who have Aadhaar ID.
The objective of eSign service is to offer on-line service to citizens for instant signing of their documents securely in a legally acceptable form. Two major challenges involved are (a) authentication of the user and (b) Trusted method of signing. Aadhaar based authentication is carried out to address the first challenge and Public Key Infrastructure (PKI) is used to securely sign the user document and establish the trust.
Citizens with Aadhaar ID will be able to upload their documents to eSign service to obtain them digitally signed. At the backend, validation of user is carried out using Aadhaar service and generates a key pair (a public key and a private key) for the user and signs the document. The user is provided with the digitally signed document and the Digital Signature Certificate.
C-DAC through its e-Hastakshar initiative enables citizens with valid Aadhaar ID and registered mobile number to carryout digital signing of their documents on-line.
Easy and secure way to digitally sign information anywhere, anytime - eSign is an online service without using physical dongles that offers application service providers the functionality to authenticate signers and perform the digital signing of documents using Aadhaar e-KYC service.
Facilitates legally valid signatures - eSign process involves consumer consent, Digital Signature Certificate generation, Digital Signature creation and affixing and Digital Signature Certificate acceptance in accordance with provisions of Information Technology Act. It enforce compliance, through API specification and licensing model of APIs and comprehensive digital audit trail is established to confirm the validity of transactions, are also preserved.
Flexible and easy to implement - eSign provides configurable authentication options in line with Aadhaar e-KYC service and also record Aadhaar id to verify the identities of signers. The signature option includes biometric or OTP authentication (optionally with PIN) through a registered mobile in the Aadhaar database. eSign enables millions of Aadhaar holders an easy way to access legally valid Digital Signature service.
Respecting privacy - eSign ensure the privacy of the consumer by submitting only the thumbprint (hash) of the document for signature function instead of whole document.
Secure online service - The eSign Service is governed by e-authentication guidelines. While authentication of the signer is carried out using Aadhaar e-KYC, the signature on the document is carried out on a backend server, which is the e-Sign provider. eSign services are offered by trusted third party service provider, currently Certifying Authority. To enhance the security and prevent misuse, certificate holder private keys are created on Hardware Security Module (HSM) and destroyed immediately after one time usage.
eSign API and Gateway - eSign Application Programming Interfaces (APIs) define the major architectural components and also describe the format and elements of communication among the stake holders like Application Service Provider, Certifying Authorities, Trusted Third parties, Aadhaar e-KYC service and Application Gateway. This Standard eSign enable Application Service Providers to integrate eSign API in their Application with less effort. CDAC is functioning as eSign Gateway provider.
eSign have flexible subscription Model for individual users, business entities and Governments. eSign based on OTP (optionally with PIN) level authentication is suitable where risks and consequences of data compromise are low but they are not considered to be of major significance. eSign based on Biometric (Fingerprint/Iris) level authentication ideal for and risks and consequences of data compromise are moderate. This may include transactions having substantial monetary value or risk of fraud, or involving access to private information where the likelihood of malicious access is substantial.