Thursday, June 21, 2018

(Very) Preliminary Observations on eSign using VID

(These observations are based on a few hours of testing the UAT made available by one ESP provider yesterday - June 20. It is possible that some of the aspects mentioned below could change in the next few days)

UIDAI has mandated that OTP-based eSignatures can no longer use the Signer's Aadhaar number. They would have to use the VID (Virtual ID). This goes into effect after June 30, and one ESP has made available its Testing Environment yesterday. Here are some preliminary observations.

1) eSigners will need a VID (Aadhaar not permited)

The eSigner (the individual who will be signing) will need to generate his VID. This can be done from the UIDAI website. The VID is sent over SMS to the registered mobile phone of the individual, and is a 16-digit number. A person can only have 1 VID at a given time. A VID seems to expire after a certain duration. (Not sure exactly how many, but it is probably several days. Early reports seemed to suggest that there would be no expiry, but our tests have revealed that some of the older VIDs have expired.).

2) Freshly generated VID does not seem to be immediately usable for eSigning (!!!)

ESigners had observed in the past, that if you linked a mobile with your Aadhaar, it would not become available immediately for eSigning OTP. The UIDAI website would show that the mobile number was linked, but eSign Gateway would return an error saying it wasnt linked. It used to take several days for eSigning to be possible after the mobile was linked. The same seems to be the case with freshly generated VIDs.

In our testing, it was observed that freshly generated VIDs could not be used for signing for at least a day and maybe more. This can be a big impediment, because most eSigners are unlikely to have a VID prior to eSigning. If the Signer generates it on the spot just before signing, he would have to wait for a while (potentially a few days) before eSigning is possible with the new VID. This issue needs to be addressed by UIDAI / ESP if eSigning has to remain viable.

3) ASP does not pass the VID to ESP

Earlier, the Aadhaar number used to be passed by the ASP to the ESP. Now it appears that the VID has to be entered on the ESP page by the eSigner. The earlier API allowed an ASP to specify a-priori which Aadhaar number had to be used for signing a particular document. This no longer seems to be the case. In other words, a document may end up being signed by someone who was not intended to sign it. Any confirmation of who the actual signer was will have to be done post-facto.

4) eMandates

eMandates will probably be disrupted for a while for a couple of reasons.

a) Banks may have a person's Aadhaar (which does not change), but they may not have his VID (which keeps changing). So these Banks would probably have no way to perform verification of the eMandate unless they happen to have the VID which that person used at the time of eSigning.

b) The X509 does not seem to contain the SHA256 of the VID (as was earlier the case with Aadhaar). Thus Banks will not be able to perform verification even if they did have the VID. This is probably a technical issue that ESPs would need to resolve.

PS> Clarification to commonly asked questions:

a) No, it is not possible to obtain the Aadhaar number from the VID.

b) Only the holder of an Aadhaar number can generate a VID for himself. There is no "API" to automate this on behalf of others.

No comments:

Post a Comment