My name is Satheesh Sangaraju, and today I am going to discuss one of the most important security concerns surrounding the use of your DSC(Use of Digital Signature). To make it easy for everyone to understand, I will explain it in very simple words and avoid too much technical language.
Do you really know about DSC audit logs?
Have you ever verified how and when and where your DSC is being used, have you ever verified your DSC was cloned or duplicated? First of all how many of you know audit logs about your DSC?
In our investigation, we identified that less than 1% of directors or company owners are aware of DSC audit logs. But this is not really about awareness alone. The real question is: is your Digital Signature being used with your consent, and is every usage activity being recorded and preserved as required under CCA guidelines?
What is DSC Audit Log?
In simple words, a DSC audit log is like a history sheet or activity record of your Digital Signature Certificate.
It helps show things like:
- when your DSC was used,
- for what transaction or activity it was used,
- and, depending on the system/application, sometimes from which system or process it was used.
A very simple way to think about it is this:
DSC = your digital signature pendrive
Audit log = the register that records when that pen was used for signing
Who is responsible for preserving audit logs?
The CA (Certifying Authority ) is responsible for preserving audit logs, and those logs must be available for compliance and regulatory examination. A Certifying Authority (CA) is the entity that issues DSCs. Audit logs must preserve 7 years asper CCA guidelines.
Popular CAs:
- eMudhra
- nCode
- Capricorn
- Safescrypt
- Vsign / Verasys
- IDSign
- PantaSign
- XtraTrust
What is the role of CCA?
CCA (Controller of Certifying Authorities) is the government regulator that supervises and controls the digital signature system in India.
CCA does not issue your DSC directly.
CCA regulates the authorities that issue DSCs.
Is CA (Certifying Authority ) working under CCA guidelines?
Our investigation was initiated with respect to IDSign CA. During the course of review, certain reports and materials raised concerns regarding possible non-compliance by some Certifying Authorities with applicable CCA guidelines. These matters require proper verification by the competent authorities.
We found discrepancies in the audit logs. This raises a serious question: when directors’ DSCs are kept in the custody of CSs, CAs, or compliance service providers, are they always being handled with proper authorization and safeguards, or does this create a risk of misuse, mix-ups, and financial or compliance exposure?
Conclusion
I have shared only very basic information for awareness and to encourage better compliance practices. For a deeper understanding, you may independently research and examine how Certifying Authorities operate, how audit logs are maintained, and how DSCs are handled when they remain in the possession of professionals or service providers.
A careful review may bring you to light serious issues relating to compliance, custody, authorization, and accountability, some of which may be deeply concerning.
This is being shared purely for knowledge and awareness, with the objective of strengthening and safeguarding compliance processes.