Saturday, February 11, 2017

Making NAD successful


The National Academic Depository Bill requires all educational institutions in India to store their student credentials with SEBI approved depositories (presently limited to NSDL and CDSL). This Bill came about in response to the menace of fake degrees and certificates being presented in order to secure employment / admissions by unscrupulous entities. The Bill seeks to create central repositories where potential employers can verify the authenticity of candidate's educational credentials. This is a laudatory objective, given how rampant the problem of fake credentials and certificates is, in India.

The Govt of India is keen to get this rolled out quickly (see here and here), and the HRD minister seems keen as well.


Some observations:

1) Implementing the NAD is a massive Operational Challenge. Unless an eco-system is put in place, its adoption / implementation is unlikely to happen within a reasonable frame of time. While the depositories are large organizations and they have the backing of the law, it is unrealistic to expect them to have the man-power or the reach to connect with and bring on-board every single educational institution in the country.

2) Most of the initiatives under Digital India have focused on creating 'eco-systems' rather than a single entity becoming responsible for entire implementation. Probably the best example is the UIDAI, which has published Aadhaar 'APIs' or Application Programming Interfaces, that allow third parties to build applications and reach out to end-users. This is the single most important factor in the rapid adoption and success of Aadhaar based programs, and credit is due to the visionary leadership of UIDAI. If UIDAI had taken upon itself the responsibility of building every single application and attending to every single customer, it's unlikely the Aadhaar program would have been as successful as it has been. Another excellent example is the UPI interface, which will allow parties to build payment related applications for specific customer verticals / use-cases.

3) Educational Institutions are likely to require training / hand-holding in the adoption stages as well as on an on-going basis if they are to participate in the NAD. Educational credentials are generated semi-annually (at least), so in addition to initial on-boarding, educational institutions will need to process educational credentials for NAD at least two times annually. A large number of service providers in the education space already work with educational institutions all over India. (Truecopy Credentials is one of them). The Depositories should probably consider leveraging this existing eco-system to quickly enhance the adoption of NAD. Would it not be a win-win for all parties? (Depositories quickly build up their database, Educational Institutions get the on-premise service they need, and service providers earn a business - thereby providing more employment).


To summarize, the Depositories should consider exclusive focus on building out the backend technology and an API (Just like UIDAI). They should publish this API (can be of "paid-subscription" variety) and then train & qualify service providers to work with educational institutions. These service providers would effectively become stake-holders in growth and propagation of the system. With such an ecosystem in place, there is a good chance that most educational institutions in India would become part of the NAD within 2 years. 

Tuesday, February 7, 2017

Issues with verifying legally valid Digital Signatures in India

When PDF documents with valid Indian Digital Signatures are opened in Acrobat (Adobe) PDF readers, some users may see errors (the digital signatures don't get automatically verified).

Some Acrobat (Adobe) PDF readers need to be configured to be able to validate Indian Digital Signatures.

Detailed explanations of a couple of common issues & how-to resolve them are below:

http://truecopycredentials.blogspot.in/2017/01/how-does-one-verify-digitally-signed.html

http://truecopycredentials.blogspot.in/2017/02/on-esignature-verification-in-adobe.html



Thursday, February 2, 2017

More on eSignature verification in Adobe Readers

This post continues an earlier post on Validation of Indian Digital Signatures in the Acrobat PDF reader.

In an earlier post, we discussed about including the Root certificate of Govt of India as a Trusted Certificate. In this post we will talk about another item dealing with Digital Signatures in India.

Aadhaar-based eSignatures are created using a one-time Digital Signing Certificate issued by the competent issuing authority under Govt of India. Not only is this Digital Signing Certificate for one-time use, but its signing validity is restricted to 30 minutes. This means that the document has to be signed within 30 minutes of the issuance of this certificate. (NOTE: Once signed, the signature is valid for ever. Only the signing process has to be completed within 30 mins).

For applications where Aadhaar-based signatures are used, the above works very well. The signed documents when opened in Adobe PDF readers or Acrobat DC will see the usual blue band at the top with a Green tick that says that the signature is valid.

=======

Some users have recently reported that when they open an Aadhaar eSigned file, they do not see the green tick, but a yellow icon as below...



Question: Why does the signature validate correctly in certain readers, and not in others?


To understand this, we dig a bit deeper and find that the Signature doesnt verify because Adobe Reader does not have access to the CRL files for the corresponding certificates. (CRL = Certification Revocation Lists).





Clicking on the "Check revocation" button does not seem to help.

The reason for this is that Adobe Reader does not access the CRLs if the time on the user's computer is outside the Signing Interval. (This is particularly cumbersome for Aadhaar-type certificates whose signing interval is limited to only 30 mins!)

How then do you get a Signature Valid message with a Green Tick?

Here are two possible solutions:


Option 1) You can include the CRL files in the Adobe cache. Here is how you do that:

Download this zip file crl.zip, and copy its contents (4 files) to the following folder:

On Windows 8 & Above:
 C:\Users\<loginusername>\AppData\Roaming\Adobe\Acrobat\DC\Security\CRLCache

On Windows 7.x & Below:
 C:\Documents And Settings\Adobe\Acrobat\DC\Security\CRLCache

OR

Option 2) You can open one Aadhaar eSigned file within few minutes of it being signed . Then you will be OK even if you open other files after a longer time  ðŸ˜²  (that's because when you open the first file, the Adobe reader fetches the CRLs and also stores them to cache).