Open source ejbca public key infrastructure for e-governance enabled software systems in rrcat

Abstract

Deployment of paperless, workflow-driven software systems require high level of security and sophisticated authentication techniques. Any security solution that is integrated with digital applications need to answer the fundamental question of establishing authenticity, access control, nonrepudiation and data integrity. A major concern in transactions carried out in e-governance systems is the need for replacement of ink based or “wet” signature with an e-signature implemented using Digital Signature Certificate (DSC). Also, as any web-enabled application or service is prone to a multitude of attacks, any discussion on e-Governance enabled software system is incomplete without consideration of “security” as a prominent aspect of “e-signatures.” An e-signature may be considered as a type of electronic authentication which can be applied to online transactions. There are a number of technologies, products and solutions for securing electronic infrastructure of an organization. It must be taken care that the level of sophistication provided by the chosen security solution should commensurate with level of security required by applications being designed. To operate critical web-enabled applications, a public certificate-based solution provided by a robust, enterprise grade PKI (Public Key Infrastructure) is one of the most widely deployed, standard solution. PKI-based security solutions can provide a high level of assurance to all application domains, e.g., digital form signing, business process automation, etc. PKI is a consistently evolving security process with a number of applications in government as well as business domains. It is one of the most appropriate security mechanisms for securing data, identifying users, and establishing a chain of trust to secure electronic documents. This paper discusses our experience in setting up and implementing the open source EJB Certifying Authority software, accompanying challenges, along with advantages and limitations of implementing an in-house PKI setup and integrating this PKI functionality with other in-house developed paperless, workflow-driven software systems.