Dear Partner, This message is to intimate you about the procurement and usage of Digital Signatures in UIDAI Authentication & e-KYC APIs for Signing the request XMLs. Currently following types of Digital Signatures are supported: 1.

End User Certificate (Issued for Organization use) - Class2/Class3

2.

Organizational Document Signer Certificate - Class2/Class 3 1. What is the difference between “End User Certificate (Issued for Organization use)” and “Document Signer Certificate”?

Certificate Field Issued To Signed by

Classes

End User Certificate (Issued for Organization use) (Supported by UIDAI APIs) Issued to Individual name, with Organizational value Meant for signing of document at individual capacity of the organization Available in Class 1, 2 and 3

UIDAI Supports only Class 2 and Class 3 Even though, there are technical Server Side capabilities to achieve automated Signing signing, purpose is largely for manual single document signing. Accountability Accountability is with Individual, representing the certificate. Extended Key NA Usage

Mode of Issuance

Document Signer Certificate (Supported by UIDAI APIs) Issued to Organizational Legal name Meant for signing at Organizational capacity. Available in Class 2 and 3 UIDAI Supports Class 2 and Class 3 Purpose is mainly for automated signing and also to reflect organizational accountability. Organizational accountability Specific application requirements are also met, like Email clients, Microsoft Applications, and Adobe Applications.

Class 3 - FIPS 140-1/2 Level 2 Hardware crypto token or HSM

When procuring for UIDAI usage this field should be excluded. Class 3 - FIPS 140-1/2 Level 2 Hardware crypto token or HSM

Class 2 - FIPS 140-1/2 Level 2 Hardware crypto token or HSM

Class 2 - FIPS 140-1/2 Level 2 Software – File based

2. What should be taken care while procuring a “Document Signer Certificate” for the usage in UIDAI APIs? 

A certificate without "Extended Key Usage" should be obtained from CAs.The CAs can be requested for this while creating/procuring a certificate. The certificate will FAIL if the “Extended Key Usage” is present.

3. E-KYC Encryption Keys (For response XML encryption by UIDAI) 

The KUA/KSA should procure an Encryption Certificate (issued for organization use) and share the public key with UIDAI for encrypting the e-KYC response XML going back to the KUA/KSA.



It is mandatory to have the key usage maintained as “Key encipherment” in the certificate



It should be a class 2 or class 3 certificate.

4. Extremely important – MANDATORY TO READ: 

UIDAI is arranging this communication for spreading awareness on procuring and using digital signature keys, and the communication is prepared as per the CCA guidelines available as on 15th May 2015 (http://cca.gov.in/cca/sites/default/files/files/DSCInteroperabilityGuidelinesR2.9. pdf ) . The entities should refer to the latest available Interoperability Guidelines published by the CCA to validate the details provided in this communication at the time of procuring a key.



Its mandatory to go through the latest UIDAI Authentication API document for the Digital Signature related guidelines for its usage in the request XMLs.



Please refer to the mode of issuance of each certificates as per the CCA guidelines. The digital signatures issuance mode (File, USB or HSM) will have a lot of significance on the security, capacity and scalability requirements of an Organization. It is highly recommended to consult with your CA and decide on the mode of issuance best suiting your Organizational/Business requirements.



This notification is for your information and appropriate action. Please note that the UIDAI validation scheme on the Digital Signatures will remain unchanged.



Any further queries should be routed to Auth Support.