Introduction:
Every Professional is familiar with the usage of his Digital Signatures in all the MCA-21 E-Forms since 2006. Now the Companies Act, 2013 has extended its scope further. The Act now requires authentication of entries in the Statutory Registers by affixing digital signatures of the Authorised Signatory from time to time when the same are being maintained in the Soft format. There is a provision in the new rules that the Share Certificates also could be digitally signed.
This Article covers the history of its origin and its relevance under the new Companies Act, 2013
The following two basic questions linger in ones mind when a person digitally signs a document,
How does one know, when a person digitally signs a pdf, it is really him who has signed it?
How does one know, that after having signed a PDF document, no one has modified it?
To understand this we need to know something about ‘Crytography’.
Cryptography:
During the days of the world war, lot of secret messages were encrypted and then exchanged across the War Zones and the Army HQ. Encrypting formed an integral part of sharing messages so as to prevent enemies in intercepting and understanding the War Strategy. But the secret of decrypting the code had to be shared prior to sending the message. The secret of decrypting the code was called a “key”. There was no secure way of sending the key. Hence a lot of times, the secret messages were easily decrypted by the enemies.
In order to prevent this, lot of thought was put in as to on how to send encrypted messages in a way that it could only be decrypted by the right person.
This lead to the invention of ”Public-Private Key Encryption’. The idea is very simple. I have a private key and a public key. If I want someone to send me a secret encrypted message, they will have to encrypt the message using my public key. Once I receive the message I will decrypt the message using my private key. Since only I have my private key, no one will be able to decrypt the message that has been encrypted with my public key. So I am free to distribute my public key in anyway I want.
The point here is, to send me a secret encrypted message, a person will need to use my public key, encrypt the message and send the message to me. Once I receive it, only I can decrypt that message, since only I have the private key that matches with that public key.
How is Public-Private key cryptography used for digital signatures?
If I reverse the Public-Private Key formula , the result will be as follows:
If I encrypt a message using my private key and distribute the message, everyone can decrypt the message using my public key.
But the point here is not about the secrecy of the message, but the authenticity. Since only I have my private key, only I could have encrypted the message and hence that message must have been sent by me, thus verifying the authenticity of that message.
This in other words is a Digital Signature
This answers the question (1) How does one know when I digitally sign a pdf, it is really me who has signed it?
Message Digests:
In order to verify authenticity, we saw that we had to encrypt the message with our private key. But encrypting a huge document with a private key and subsequently decrypting it using the public key is very time consuming. A computer could take hours to encrypt-decrypt a huge document. Since our objective is not secrecy of the document data but about the authenticity, there is another way of doing this.
We’ll take the document and reduce it in size. The reduction in size could be as small as 128 characters. This ”Reduced Document’ is called a digest of the original message – a Message Digest. You can imagine this as zipping the document. Can you compress a document to something as small as 128 characters? You can, if you don’t care about re-creating the document back from those 128 characters.
The beauty of this is that, even if one letter is changed in the original document, the message digest that is produced, is completely different.
Hence, you only need to sign the Message Digest (ie. encrypt the message digest with the private key) and distribute the encrypted message digest along with your document.
So this answers both the questions:
How does one know, when I digitally sign a pdf, it is really me who has signed it?
How does one know, that after I have a signed a pdf, no one has modified it?
If someone, changes the content of the pdf, after signing it, the message digest changes, thus invalidating the signature.
Companies (Management and Administration) Rules, 2014 Rule 27(2):
The Rule (27)(2) states thus:
(2) The records in electronic form shall be maintained in such manner as the Board of directors of the company may think fit,
Provided that -
(a) the records are maintained in the same formats and in accordance with all other requirements as provided in the Act or the rules made there under;
(b) the information as required under the provisions of the Act or the rules made there under should be adequately recorded for future reference;
(c) the records must be capable of being readable, retrievable and reproducible in printed form;
(d) the records are capable of being dated and signed digitally wherever it is required under the provisions of the Act or the rules made there under;
(e) the records, once dated and signed digitally, shall not be capable of being edited or altered;
(f) the records shall be capable of being updated, according to the provisions of the Act or the rules made there under, and the date of updating shall be capable of being recorded on every updating.
In the light of the above understanding, the provisions (e) and (f) are confusing and contradictory. Once you digitally sign a pdf, you cannot update it again. Rule (e) says that the pdf record should not be capable edited or altered. Rule (f) counters that and says the records can be updated. Isn’t updated a synoymn of altered? But we need these two clauses workable. How do we do that ?
As an example, Let’s take a ”Member Register.’
When an allotment is made, within 7 days, the Member Register (Form MGT-1) has to be updated. So we update the Member Register with the allotment entry. We generate a PDF of the Member Register and digitally sign it.
2 months later, we need to register a share transfer. Ideally, if we are maintaining a Member Register in the physical form, we would post those entries in the folios of the transferor and the transferee and sign on both places (a wet-ink signature).
But in the electronic world of PDFs and digital signatures, this is not possible. If you update the same PDF, the original signature is invalidated. Hence, you need to generate a whole new PDF.
The new PDF should contain a declaration on the first page, as below:
“This document takes into consideration a prior Member Register signed on 18/04/2014 by Director, XYZ. By Digitally Signing this document I deemed to have authenticated all of the entries made in the previous Member Register File.
The previous Member Register file can be opened by clicking on the link below: MemberRegister-Equity-2014-04-18.”
The New Member Register should be seen holistically with the series of prior Member Registers in total. In other words, every entry in the Register of Members will produce a new set of Register of Members for affixing the digital signature as there is no provision for updation in the existing ones for the simple reason, once the register is digitally signed it cannot be modified.
This is the only way possible to maintain all registers in the electronic format and at the same time follow the Rules framed under the Companies Act, 2013.
How do we digitally sign a PDF file?
We only know to sign MCA-21 E-forms digitally. The Companies Act, 2013 wants us to sign Registers and Share Certificates digitally. Unless we have a proper software tool it is not possible. So many software tools are going to flood market in the near future. My suggestion would be that the software should be tested and certified by the Government that it is reliable, safe and secure for us to use.