Sunday, November 24, 2013

Digital signatures will be available in Token Only

Certifying Authority Of India ( CCA) is making mandatory for downloading  Digital Signature only in the Cryptographic USB Token, which shall have FIPS 140 level certification. Copy of CCA order  dated 25th October 2013 is reproduced herewith for your reference. This amendment in issuing process of DSC will
have an extra cost burden though initially it may be a one time cost  in addition to waiting period involved in the movement of token.This order needs to reviewed:

F.No. CCA/DC (T)/2013-98 (pt.)
Government of India
Ministry of Communications & Information Technology
Department of Electronics & Information Technology
Office of Controller of Certifying Authorities
New Delhi
                                                                                                                           25th October 2013
OFFICE ORDER
The Security of Private Keys Corresponding to the DSCs being issued by Certifying Authorities (CA) to subscribers has always been matter of concern. In this regard the Certificate policy pertaining to India PKI lays down the technical security controls for the key pair generation and installation (Section 6 of India PKI CP Version 1.1). Detailed instructions were also issued on vide our letter No. 13(2)/2009-CCA dated 23rd September 2009covering guidelines for storage of Private Keys and the same has been reemphasized subsequently  in meeting held with the CAs (ref. minutes of meeting held with all CAs on 19thOctober 2012 and 23rd January 2013). The Compliance to this requirement is however not entirely satisfactory and it is imperative that procedures are put in place to ensure that no Class 2 or Class 3 DSCs are issued in cases where the key pair has  not  been generated on a FIPS 140-1/2 Level 2 validated Hardware Cryptographic Token.
CAs are advised to ensure that procedures to give effect to the above are immediately incorporated in the DSC issuance process (if not done yet) so that the Security of Private Keys used by subscribers is maintained.
In respect of Class 1 Certificate, in case the subscriber does not wish to procure a Cryptographic device, the corresponding risk should be made known to the subscriber and an undertaking taken from him/her to the effect that he/she is aware of the risks associated with storing private Key(s) on a device other than a FIPS 140-1/2 validated cryptographic module.
A Compliance to this should be reported to the Office of CCA within a month. This is being incorporated on the audit process.
Posted by at

1 comment:

  1. Digital Signature MartJuly 22, 2014 at 6:22 AM

    Thanks for the effort, keep up the Great work. The thoughts you express are really awesome. Hope you will write some more posts. I got good info from your blog and saved it as a favorite. I love your blog page too, very nice colors & theme. I really appreciated with it. Thanks again for sharing.

    ReplyDelete

Subscribe to: Post Comments (Atom)