The government of Nepal has finally adopted and validated the usage of Digital Signature in the country. Nepal had initially launched digital signature back in 2012 but then it could not be implemented due to inadequate infrastructure at that time. Now, that the Government of Nepal with the Ministry of Information and Communications Technology & the OCC (Office of the Controller of Certification), the root certifying authority of Nepal has declared the official adoption and validity of digital signature in Nepal on December 2, 2015. The OCC has stated that the signature will be implemented under Electronic Transaction Act 2006 and Electronic Transaction Rules 2007.
An Exclusive Interview with IT Officer at Office of Controller of Certification, Mr. Satish Subedi
What is a Digital Signature?
A digital signature is an electronic form of a signature that can be used to authenticate the identity of the sender of a message or the signer of a document, and also ensure that the original content of the message or document that has been sent is unchanged. Digital signatures are easily transportable and cannot be imitated by someone else. The ability to ensure that the original signed message arrived means that the sender cannot easily disclaim it later.
What is a Digital Signature Certificate (DSC)?
Digital Signature Certificates (DSC) is the electronic format of physical or paper certificate like a driving License, passport etc. Certificates serve as proof of identity of an individual for a certain purpose; for example, a Passport identifies someone as a citizen of that country; who can legally travel to any country. Likewise, a Digital Signature Certificate can be presented electronically to prove your identity, to access information or services on the Internet or to sign certain documents digitally.
Why do I need a Digital Signature Certificate?
A Digital Signature Certificate authenticates your identity electronically.
It also provides you with a high level of security for your online transactions by ensuring absolute privacy of the information exchanged using a Digital Signature Certificate. You can use certificates to encrypt information such that only the intended recipient can read it. You can digitally sign information to assure the recipient that it has not been changed in transit, and also verify your identity as the sender of the message.
Where can I purchase a Digital Signature Certificate?
Legally valid Digital Signature Certificates are issued only through a licensed Certifying Authorities (CA), such as Radiant Info Tech Nepal, a Certifying Authority (CA) licensed by OCC, offers secure digital signatures through various options tailored to suit individual as well as organizational needs.
How does a Digital Signature Certificate work?
A Digital Signature Certificate explicitly associates the identity of an individual/device with a pair of electronic keys – public and private keys – and this association is endorsed by the CA. The certificate contains information about a user’s identity (for example, their name, pin code, country, email address, the date the certificate was issued and the name of the Certifying Authority that issued it). These keys complement each other in that one does not function in the absence of the other. They are used by browsers and servers to encrypt and decrypt information regarding the identity of the certificate user during information exchange processes.
The private key is stored on the user’s computer hard disk or on an external device such as a token. The user retains control of the private key; it can only be used with the issued password. The public key is disseminated with the encrypted information. The authentication process fails if either one of these keys is not available or do not match. This means that the encrypted data cannot be decrypted and therefore, is inaccessible to unauthorized parties.
Is Digital Signatures Certificate legally valid in Nepal?
Yes, after the enactment of Electronic Transaction Act 2063 Digital Signature Certificates are legally valid in Nepal. Digital Signature Certificates are issued by licensed Certifying Authorities OCC under the Ministry of Science and Technology, Government of Nepal as per the Electronic Transaction Act.
What is the difference between a Digital Signature and a Digital Signature Certificate?
A digital signature is an electronic method of signing an electronic document whereas a Digital Signature Certificate is a computer-based record that Identifies the Certifying Authority issuing it; Has the name and other details that can identify the subscriber; Contains the subscriber’s public key; Is digitally signed by the Certifying Authority issuing it; Is valid for either one year or two years.
Can I use one Digital Signature Certificate for multiple e-mail addresses?
No, you cannot. A digital signature certificate can have only one email address. Can I use the digital signature certificate in e-tendering systems? Digital signature certificates in e-tendering systems are allowed but based on the service provider.
Can digital signature certificates be used in wireless networks?
Yes, digital signature certificates can be employed in wireless networks. Am I allowed to use one web server certificate (SSL) for more than one website?
No. You will not be able to use one SSL certificate on different websites with different domain names because the certificate is explicitly associated with the exact host and domain name.
What is a Certifying Authority (CA)?
A Certifying Authority is a trusted agency whose central responsibility is to issue, revoke, renew and provide directories for Digital Signature Certificates. According to Electronic Transaction Act 2063, “Certifying Authority” means a person who has been granted a license to issue Digital Signature Certificates.
Who can be a Certifying Authority (CA)?
The Electronic Transaction Act 2063 details the prerequisites of a CA. Accordingly, a prospective CA has to establish the required infrastructure, get it audited by the auditors appointed by the office of Controller of Certifying Authorities. After complete compliance of all requirements, a license to operate as a Certifying Authority can be obtained. The license is issued by the Controller of Certifying Authorities, Ministry of Science and Technology, Government of Nepal.
What is a Registration Authority (RA)?
RA (Registration Authority) is an agent of the Certifying Authority who collects the application forms and related documents for Digital Signature Certificates, verifies the information submitted and approves or rejects the application based on the results of the verification process.
What is the role of OCC?
The Controller of Certifying Authorities (OCC) is a Government of Nepal undertaking that license and regulate the working of Certifying Authorities. The OCC certifies the public keys of CAs, which enables users in the cyberspace to verify that a given certificate is issued by a licensed CA. For this purpose, OCC operates, the Root Certifying Authority of Nepal (RCA). The OCC also maintains the National Repository of Digital Signature Certificate (NRDC), which contains all the certificates issued by all the CAs in the country.
What is NRDC?
In accordance with the Electronic Transaction Act, NRDC is a national repository maintained by the OCC that contains all Digital Signature Certificates and CRLs issued by all the licensed CAs. It also contains all the Digital Signature Certificates and CRLs issued by the OCC through its RCA. All Relying Parties are allowed to verify the authenticity of a CA’s public keys from this repository.
What is RCA?
RCA is the Root Certifying Authority of Nepal. It was established by ETA and is responsible for digitally signing the public keys of all the licensed CAs in the country.
The RCA root certificate is the highest level of certification in the country. The RCA root certificate is a self-signed certificate.
The key activities of the RCA include:
Digitally signing licenses issued by OCC to CA
Digitally signing public keys corresponding to private keys of a CA
Ensuring availability of these signed certificates for verification by a Relying Party through the OCC website
Repository
What is a CRL?
The Certificate Revocation List (CRL) is a list of certificates that have been revoked by the CA, and are therefore no longer valid.
What is a CPS?
The Certificate Practice Statement (CPS) is a statement of the practices that a Certification Authority (CA) employs for issuing and managing certificates. A CPS may take the form of a declaration by the CA of the details of its system’s trustworthiness and the practices that it employs both in its operations and in its support of the issuance of a certificate.
What is a CP?
Certifying Authorities issue Digital Signature Certificates that are appropriate for specific purposes or applications. A Certificate Policy (CP) describes the different classes of certificates issued by the CA, the procedures governing their issuance and revocation and terms of use of such certificates, besides information regarding the rules governing the different uses of these certificates.
What is Subscriber Agreement?
A Subscriber Agreement is an agreement between Subscriber and (Radiant Info Tech Nepal) CA stating that the subscriber will use the Digital Signature Certificate for the assigned use or objective and that the subscriber is solely responsible for the protection of the private key and ensuring functionality of the unique key pair. The subscriber also agrees through the Subscriber Agreement that all the information provided to CA at the time of registration is accurate. In the event of any change in information, the subscriber is obliged to immediately inform CA. CA is not responsible for any legal disputes arising due to misrepresentation on the part of the subscriber.