According to the Electronic Certification Accreditation Council of the Ministry of Information Technology, the accredited digital signatures should be utilized by the Federal Board of Revenue (FBR) for all electronically filed tax returns in order to ensure authenticity, integrity, and non-repudiation.
Electronic Certification Accreditation The Council of the Ministry of Information Technology has announced that obtaining digital certificates from any Approved Certificate Service Provider (ACSP) may be the best option for the general public as the only certificates accepted in court are the digital certificates provided by the ACSP.
The Federal Revenue Board (FBR) has told the Council that digital signatures are already completely implemented, but on an optional basis, on the e-FBR platform. The Council recommended that for all e-filing tax returns, certified digital signatures should be used to ensure validity, transparency, and non-repudiation.
As reported by ProPakistani’s resources, some important decisions have been taken by the government in relation to digital certificates issued by accredited certification service providers. Decisions have been communicated to all concerned authorities and organizations through the Electronic Certification Accreditation Council of the Ministry of Information Technology and Telecommunications. The last meeting held by the Electronic Certification Accreditation Council also evaluated the issue of filing tax returns electronically with the use of digital certificates.
In accordance with the instructions provided by the Secretary (IT), MoIT&T, an awareness meeting with the delegates of SBP, SECP, FBR, NADRA, ECP, PTA MoITT, and MoC on the Regularization of E-Transactions under ETO-2002 was organized under the chairmanship of Brig (R) Viqar Rashid Khan.
Representatives from the State Bank of Pakistan demanded information as follows:
- Establishment of Public Key Infrastructure/Repository
- Regulations under ETO-2002
- Availability of Accredited Certification Service Providers
The following detail was provided by The Council:
- The establishment of the PKI/Repository for which the tender is already in progress;
- Regulations under ET0-2002 already exist.
- The renewal of the only CSP operating in Pakistan (NIFT) accredited by the Council for the first time in the history of Pakistan is now in process.
The distinction between the electronic signature and the advanced electronic signature was clarified in response to a question from the SBP. It was described that a digital signature uses a PKI-based digital certificate issued by a certificate authority (CA) that links an identity (such as an individual or business) to a cryptographic key pair, differing from a simple electronic signature.
Due to a shortage of demand, the Council highlighted the reasons for the lack of interest in certified CSPs. The Council, therefore, demanded all authorities to implement and promote the use of certified digital signatures in their e-services, alongside making them obligatory by integrating them into their legislation/regulations.
In response to the PTA’s inquiry, it was explained that the ECAC is not required to make regulations for the appropriate authorities, rather its responsibility only includes making regulations for ACSPs. However, to ensure the integrity of the information obtained, Section 16 of the ETO plays a part to empower authorities to specify/make procedures, technology, and regulations. In addition to this, guidelines for e-transactions/documents for all relevant authorities under Chapters 2 & 3 of ETO-2002 have already been drafted.
SBP was of the opinion that ETO-2002 would not preclude any Certification Service Provider from participating in a business without accreditation, and that the electronic documents, messages, and signatures are also legally legitimate. The council clarified that despite all types of electronic signature being accepted by ETO-2002, the enhanced protection attached to Certified Digital Signature received priority from the ETO.
The ETO, thus, creates a voluntary scheme of Credential Authority Accreditation. Only the use of an Accredited Digital Signature supports reliability and with such a signature, the signed document is authentic with increased reliability and a higher legal value. SBP, along with other regulators, is the prime financial institution to incorporate the use of accredited digital certificates to safeguard and protect the e-transactions of consumers.
During the process of a document being digitally signed with the private key of the signatory, the exact content of the document and the identity of the signatory are connected together to form a specific digital fingerprint. This ensures that the ACSP has confirmed the identification of the signatory of the document, further making certain that the credibility of the content of a document has not been compromised since it was signed and the non-repudiation that a signatory can not be possible.
In order to ease the accreditation standards of the SBP, the Council clarified that the requirements cannot be decreased because they are specified by the ACSP Regulations that have been accepted. ECAC is, however, available within the specified framework for any facilitation or assistance needed by CSPs in acquiring accreditation.
SECP heard that digital certificates were used for e-voting firms, but owing to the higher costs and processing time, their use was revoked in the 2017 regulations. When accrediting CSPs, these problems become crucial. While recognizing the role of ECAC in the security of electronic transactions, NADRA assured the representative that it would collaborate with ECAC for wide-ranging interaction to ensure the best outcomes for the country. It is also further explained by NADRA that the HEC may also be advised to use a digital signature to efforts to protect the online degree/credential verification process.
Moreover, the Council also highlighted NADRA’s position as a registration authority for its unique digital identity recordkeeping of people in the physical world and the role it plays in checking online identification.
ECP also accepted ECAC’s concern and committed to integrating the use of e-voting digital signatures. The meeting ended with the following decisions for potential implementation:
Decisions and Implementation Plan
Digital certificates issued by the Certified Certificate Service Provider can be identified as the only certificates of validity, legitimacy, and non-repudiation recognised by a court of law. Due to this reason, it becomes the public’s best interest to obtain digital certificates from an Approved Certificate Service Provider. IT is expected from all the relevant authorities to prioritize and inculcate the use of Certified Digital Certificates in their regulations.
The use of Accredited Digital Certificates will be ensured by all Relevant Authorities in order to generate demand for ETO-2002 implementation. For debate, a close group of all regulators, members of the Council, and officers will be formed on WhatsApp.
As per global ETO-2002 enforcement practices, ECAC is setting up the PKI/Root Certification Authority (Root Certification Authority) technology for digital signature enablement. An advice letter to the SDP Governor has already been released by ECAC outlining the effects of non-compliance with ETO-2002 (Not the use of Accredited Digital Signatures).