Wednesday, January 4, 2017

Verifying a digitally signed pdf in India

How does one verify a digitally signed pdf has a valid signature in India?

(- This is a frequently asked question.)

A Digitally Signature embedded in a PDF is supposed to be automatically recognized by Acrobat PDF reader. You will see a panel at the top of the page as shown below:

If the signature is not indicated as valid, there may be a couple of reasons for it, and these can be addressed as stated below:

1) The Indian Govt's "Root Certificate" is NOT in the default list of "Trusted Certificates" in Acrobat PDF Reader.

Hence, you may have to add the CCA India Root certificate to your list of trusted Certificates. All you are doing is telling your Acrobat PDF reader that you trust the Root Certificate of Govt of India.

The steps are as follows:

Click on Signature Panel. This opens a panel with information about who has signed the document.

In the information on the Panel, find Signature Details and click on it. The click on Certificate Details.

Then in the dialog that comes up, click the Trust tab and on the left side, click on CCA India root certificate. Then click the button that says Add To Trusted Certificates. You may need to re-open the file. Thereafter, all documents legally signed in India will show in an Adobe reader at the top in the blue band "Signed and All signatures are valid".

But what if someone has impersonated CCI India root certificate (in the pdf you are opening)? That is a good question. To ensure that the CCA India root certificate is genuine, look at its details in the Details tab, and click on Public Key. Make sure this matches the public key that is published on the website for that certificate.

If you do not see CCA India in as the root certificate, the document cannot be considered to be legally signed in India as per IT Act 2000.

(Continued in a subsequent post)

Sunday, January 1, 2017


UIDAI sends an OTP (One time password) for completing an Aadhaar based digital signature. This OTP arrives as an SMS to the Signer's registered mobile phone. Unless this OTP is used, the signature cannot be generated.

It has been observed that there is a significant delay in the arrival of OTPs during times when SMS gateways of mobile operators are likely to be busy (such as during New Years (Dec 31 - Jan 1) - presumably because people are sending a lots of New Year messages.

I wonder if UIDAI can ensure that mobile operators prioritize their SMSes over others. This will ensure that OTPs for Digital Signatures arrive quickly.

(The good news is that most New Years messages that I got this time were on Whatsapp and not SMS).