Guidelines for Usage of Digital Signatures in e-Governance

1 way or 2 way SSL to ensure secure communication of data over the
network.
Encryption Certificates
Encryption Certificates are used to encrypt the message. The Encryption
Certificates use the Public Key of the recipient to encrypt the data so as
to ensure data confidentiality during transmission of the message.
Separate certificates for signatures and for encryption are available from
different CAs.
5.4 Certificate Revocation
Digital Signature Certificates are issued with a planned lifetime, which is defined through a validity start date and
an explicit expiration date. A certificate may be issued with a validity of upto two years. Once issued, a
Certificate is valid until its expiration date.
However, various circumstances may cause a certificate to become invalid prior to the expiration of the validity
period. Such circumstances include change of name (for example, change the subject of a certificate due to an
employee’s change of name), change of association between subject and CA (for example, when an employee
terminates employment with an organization), and compromise or suspected compromise of the corresponding
private key. Under such circumstances, the issuing CA needs to revoke the certificate.
In case a Digital Signature Certificate is compromised, one should immediately contact the respective CA to
initiate revocation. The CA will then put the certificate in the Certificate Revocation List. We need to have
necessary processes in place defining the roles and responsibility of various government officials for the usage
of Digital Signature and their revocation.
5.5 Certificate Revocation List (CRL)
A CRL is a list identifying revoked certificates, which is signed by a CA and made freely available at a public
distribution point. The CRL has a limited validity period, and updated versions of the CRL are published when
the previous CRL’s validity period expires. Before relying on a signature the CRL should also be checked to
ensure that the corresponding DSC has not been revoked.
5.6 Digital Signature Certificate Verification
Digital Signature Certificates are verified using a Chain of trust. The trust anchor for the Digital Certificate is the
Root Certifying Authority (CCA in India). A root certificate is the top-most certificate of the hierarchy, the private
key of which is used to "sign" other certificates. All certificates immediately below the root certificate inherit the
trustworthiness of the root certificate. Certificates further down the tree also depend on the trustworthiness of
the intermediates (often known as "subordinate certification authorities").
The Digital Certificate verification process is a recursive process in which the program verifying the end user
certificate verifies the validity of the certificate of the issuing authority until it finds a valid certificate of a trusted
party. On successful verification of the trusted party Certificate, the Digital Certificate verification stops. In case a
trusted party Certificate is not found by the program, the Digital Certificate verification process ends in failure.
12