Digital Signature

Posted on by user

Introduction

Digital signature is a foundational construct of India’s digital-transaction architecture: it is the cryptographic attestation attached to an electronic record that links that record to the signatory, and is designed to guarantee integrity, authentication and non-repudiation. For transactional lawyers, litigators and compliance counsel, mastery of the legal, technical and evidentiary anatomy of digital signatures is essential: they determine enforceability of contracts executed electronically, admissibility of electronic evidence, and risk allocation where keys are compromised.

Core Legal Framework

  • Primary statute: Information Technology Act, 2000 (IT Act).
  • Definition and legal recognition: The IT Act recognises electronic records and electronic signatures as substitutes for paper and wet ink. See in particular:
    • Section 4 — legal recognition of electronic records (an obligation in writing is satisfied when rendered in electronic form and usable for subsequent reference).
    • Section 5 — legal recognition of electronic signatures (where law requires a signature, that requirement is met if an electronic signature is used in the prescribed manner).
    • The Act’s definitions (chapter I, Section 2) and the Rules made under the Act treat “digital signature” as a species of electronic signature — essentially “authentication of any electronic record by a subscriber” by electronic techniques.
  • Regulatory frame:
  • Information Technology (Certifying Authorities) Rules, 2000 — set out the regime for issue, suspension and revocation of Digital Signature Certificates (DSCs) and the obligations of Certifying Authorities (CAs).
  • Controller of Certifying Authorities (CCA) / Certifying Authority rules and standards — CAs must be recognised/empanelled under the IT Act framework; their policies determine issuance, identity-proofing and audit.
  • Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 — set expectations for security practices which intersect with key management and private-key protection.
  • Evidence law:
  • Indian Evidence Act, 1872 — Section 65B is pivotal for the admissibility of electronic records in court: it mandates a certificate describing the electronic record and compliance with prescribed conditions, typically required when an electronic record is produced as secondary evidence.

Practical Application and Nuances

How digital signatures work in practice (technical anatomy, in lawyer-friendly terms)
– Public Key Infrastructure (PKI). A digital signature uses asymmetric cryptography: the signer’s private key signs (creates a signature) and the public key verifies signature integrity. A Digital Signature Certificate (DSC) binds the public key to the identity of the subscriber (individual or entity) and is issued by a Certifying Authority.
– Types and assurance levels:
– Class-wise distinctions (as commonly used in India): Class 2 (routine transactions; name and email verification), Class 3 (higher assurance; in-person verification). The CA’s policy and client requirements determine which class is appropriate.
– Device-based security: tokens (USB/Smartcards), HSM-backed keys, or cloud-based key storage (eSign / Aadhaar-based signing).
– Signature artefacts lawyers must preserve: the signed electronic file (container), signature block (.p7m/.p7s), signing certificate(s), certificate chain, timestamp token (if present), and verification logs (OCSP / CRL responses).

Using digital signatures in daily courtroom and transactional practice
– Contracting and corporate documents:
– Draft express e-signature clauses that state acceptance of DSC/eSign and the mode(s) permitted. Explicitly allocate risk for key compromise and specify notice/verification procedures.
– For high-value or nuanced instruments (e.g., share transfers, certain statutory filings, or documents requiring physical attestation), confirm statutory permissibility: while IT Act gives recognition, certain laws or registries may have specific procedural requirements (registration laws, stamp/registration formalities, Powers of Attorney/attestation requirements). Advise clients to confirm with the registering authority.
– Court filings and procedural practice:
– Many courts accept e-filing and document signing by DSCs. Check local High Court/Tribunal rules: some permit scanned signatures plus DSC for index and cause-listing, others require DSC-signed PDFs or e-vakalatnama signed with a DSC.
– Preserve original signed electronic file and metadata — courts scrutinise authenticity and chain of custody.
– Evidence and proof:
– When relying on an electronically signed document as evidence, obtain the DSC files and a certificate under Section 65B (Indian Evidence Act) where necessary. Practically, always preserve:
– The signed file in original form.
– A certificate (from the person or official custodian) as required under Section 65B(4) (detailing the device, process of creation, and integrity).
– Verification report from the CA if needed (certificate validity, revocation status at the signing time).
– Verifying a digital signature (practitioner checklist):
1. Verify that the signing certificate was issued by a CCA-recognised Certifying Authority.
2. Check certificate validity dates — sign-time must fall within validity.
3. Confirm absence of revocation at sign-time — CRL/OCSP checks and archived responses are crucial.
4. Verify the signature cryptographically (most PDF viewers, signature-verify tools show validity).
5. Confirm signer identity maps to the claimed signatory (legal person vs signatory’s email).
6. Look for a trusted timestamp (RFC 3161 token) — this fixes signing time even if certificate later expired or was revoked.
7. Preserve logs, signed container and signature-values as chain-of-custody evidence.

Concrete examples (how issues present themselves in practice)
– Disputed identity: Client receives an executed agreement; the signature appears via DSC but the signer denies signing. Fix: obtain CA verification (certificate details) and OCSP/CRL for the signing time; if the private key was fraudulently used, evidence of identity-proofing at issuance (documents used by CA) becomes central.
– Challenge to admissibility: Opponent objects to the electronic document as secondary evidence. Fix: procure a Section 65B certificate and demonstrate compliance with prescribed rules; preserve original signed container and device logs.
– Revocation issues: A certificate is revoked post-signing. Fix: obtain archived OCSP/CRL showing that at the signing time the certificate was valid; if no archived responses are available, a trusted timestamp becomes decisive.

Landmark Judgments

  • Anvar P.V. v. P.K. Basheer, (2014) 10 SCC 473 — The Supreme Court held that admissibility of electronic records is governed strictly by Section 65B of the Evidence Act: a certificate conforming to Section 65B is ordinarily required for admissibility of electronic records produced as secondary evidence. The decision emphasises the need for compliance with statutory formalities when relying on electronic documents.
  • Arjun Panditrao Khotkar v. Kailash Kushanrao Gorantyal & Ors., (2020) 2 SCC 1 — This decision revisited questions on admission of electronic records under Section 65B and clarified procedural aspects around production of electronic records and certificates; practitioners must read it alongside Anvar to understand when production of primary electronic devices or originals may affect the requirement for a 65B certificate. (Practical note: after these decisions, courts expect rigorous compliance with the Evidence Act’s scheme and careful preservation/production of electronic records and certificates.)

Strategic Considerations for Practitioners

For prosecuting or defending a case where digital signatures matter:
– Offensive strategy (to prove authenticity):
– Early preservation: Immediately collect the signed file, signature container (.p7m/.p7s), signer’s certificate, signing-time evidence (timestamp tokens), OCSP/CRL responses, CA logs and any server logs.
– Obtain a 65B certificate where applicable, and be ready to call the CA or custodian for evidence on issuance and verification.
– Use expert evidence focused and narrowly tailored to explain cryptographic verification to judges.
– Defensive strategy (to challenge digital signature validity):
– Attack identity-proofing at issuance (poor KYC by CA), procedural gaps in CA’s Relying Party Agreement, or gaps in sign-time evidence (no timestamp).
– Challenge the chain of custody — whether the signed file was tampered with or the private key compromised.
– Seek OCSP/CRL contemporaneous evidence showing revocation or misuse at time of signing.
– Transactional best practices (drafting and risk allocation):
– Include express acceptance of electronic signatures, specification of acceptable signing methods (DSC classes, eSign with Aadhaar or cloud HSM), and a clause stating that electronic certificates and digitally signed documents are equivalent to “originals”.
– Require delivery of the signature certificate and relevant verification evidence on execution; mandate immediate notice of key compromise or revocation.
– Include contractual indemnities for misrepresentations about signer identity and warranties about key security.
– Common practitioner pitfalls:
– Treating a scanned image of a signature as a digital signature — a scanned image offers no cryptographic assurances.
– Failing to collect timestamp tokens, CRL/OCSP responses and CA logs at the earliest possible time.
– Overlooking local court / registry rules that prescribe a specific form of electronic signing or have exceptions for certain documents.
– Assuming all CAs provide equal assurance — check CA accreditation, issuance policy and audit trail.

Conclusion

Digital signatures are legally potent and practically indispensable for modern Indian practice. The Information Technology Act gives them statutory force, and the Evidence Act’s Section 65B governs their admissibility. For practitioners the task is practical and twofold: (1) ensure electronic signatures are created and preserved in a manner that will satisfy technical verification and evidentiary tests (certificate validity, revocation history, timestamping, CA provenance and chain of custody); and (2) draft transactional protections and litigative strategies that anticipate attacks on identity, key compromise and evidentiary gaps. In litigation, preservation and early collection of DSC artefacts and Section 65B-compliant certification are decisive; in transactions, clear contractual clauses and appropriate choice of signing mechanism (class and storage of keys) will manage enforceability and risk.