What is a Digital Signature? A Complete Technical and Legal Guide

Introduction: The Evolution of Document Authentication

For centuries, the handwritten signature (often referred to as a “wet signature”) was the undisputed gold standard for authorizing contracts, verifying corporate decisions, and executing legal agreements. However, as the global economy shifted to digital transactions, paperless workflows, and remote-first operations, physical ink signatures quickly became a bottleneck. They were slow, expensive to ship, easy to forge, and prone to physical tampering.

Enter the Digital Signature.

Far more than a simple scanned image of a handwritten signature pasted onto a PDF, a digital signature is a highly secure, mathematically validated cryptographic lock. It guarantees that a digital document originates from a specific sender, that the sender cannot deny signing it, and that the document has not been altered in transit.

Today, digital signatures are the cornerstone of modern corporate compliance, legal transactions, and secure e-governance in India. From registering a new company on the Ministry of Corporate Affairs (MCA) portal to filing income tax returns and submitting government e-tenders, digital signatures are legally mandatory. This definitive guide breaks down what a digital signature is, how it works under the hood, how it differs from a standard electronic signature, its legal standing under the Information Technology (IT) Act, 2000, and how to obtain a Class 3 Digital Signature Certificate (DSC) in India.

---

1. What is a Digital Signature?

A Digital Signature is a mathematical technique used to validate the authenticity and integrity of a digital document, message, or software. It acts as a digital fingerprint that uniquely binds the identity of the signer to the electronic data being signed.

To understand why digital signatures are so secure, we must look at the three core pillars of cybersecurity they enforce:

1. Authenticity: A digital signature provides cryptographic proof that the document was created and signed by the exact person who claims to have signed it. The signer’s identity is verified by a licensed Certifying Authority (CA) beforehand.
2. Integrity: Once a document is digitally signed, the mathematical algorithm binds its contents. If even a single character, comma, or digit is changed after the signature is applied, the digital signature becomes instantly invalid, alerting all parties to the tampering.
3. Non-Repudiation: Because the unique digital key used to sign the document is held securely by the signer (usually in a password-protected USB hardware token), the signer cannot later deny having signed the document. This makes it legally binding in a court of law.

---

2. How Does a Digital Signature Work? (The Cryptography Explained)

Digital signatures rely on a cryptographic framework known as Public Key Infrastructure (PKI) and a technology called Asymmetric Cryptography.

Asymmetric cryptography uses a pair of mathematically linked keys:

• Private Key: Known only to the owner. It is stored inside a secure hardware USB token (like an ePass2003) and is used to encrypt and sign the document.
• Public Key: Made available to anyone. It is distributed with the document and is used by the receiver to decrypt and verify the signature.

Here is the step-by-step cryptographic workflow of how a document is signed and verified:

                  [ SIGNING PROCESS ]
                 ┌───────────────────┐
                 │  Original PDF Doc │
                 └─────────┬─────────┘
                           │
                           ▼ (Run Hashing Algorithm)
                 ┌───────────────────┐
                 │ Unique Hash Value │
                 └─────────┬─────────┘
                           │
                           ▼ (Encrypt using Signer's Private Key)
                 ┌───────────────────┐
                 │ Digital Signature │
                 └─────────┬─────────┘
                           │
                           ▼ (Merge with PDF)
                 ┌───────────────────┐
                 │ Signed PDF Document│
                 └─────────┬─────────┘
                           │
                           ▼ (Transmit to Receiver)
                           │
                 [ VERIFICATION PROCESS ]
                           │
         ┌─────────────────┴─────────────────┐
         ▼                                   ▼
┌───────────────────┐               ┌───────────────────┐
│Extract & Decrypt  │               │Compute Hash of    │
│Signature using    │               │Received PDF Doc   │
│Signer's Public Key│               │using same Alg     │
└────────┬──────────┘               └────────┬──────────┘
         │                                   │
         ▼ (Reveals original Hash)           ▼ (Creates current Hash)
 ┌───────┴───────────────────────────────────┴───────┐
 │             ARE BOTH HASHES IDENTICAL?            │
 └───────────────────────┬───────────────────────────┘
                         │
             ┌───────────┴───────────┐
             ▼                       ▼
       [ YES: Valid ]          [ NO: Tampered ]
   - Identity Verified      - Document Modified
   - Integrity Intact       - Signature Broken

1. Hashing: When you click “Sign” on a PDF, a cryptographic algorithm (like SHA-256) calculates a unique, fixed-length mathematical string representing the exact content of the document. This is called a Hash.
2. Encryption: The signing software uses your Private Key (accessed via your USB token and PIN) to encrypt the Hash. This encrypted hash is the Digital Signature.
3. Appended Signature: The digital signature and your Public Key are embedded into the PDF document.
4. Verification: When the receiver opens the signed PDF:
   • The software uses the Public Key to decrypt the signature, revealing the original hash calculated during signing.
   • The software calculates a new hash of the document’s current content.
   • If the original decrypted hash matches the new hash, the document is secure. If they do not match, the software warns that the document was modified after signing.

---

3. Digital Signature vs. Electronic Signature (e-Signature)

Many business owners, founders, and professionals use the terms “digital signature” and “electronic signature” interchangeably. However, they represent entirely different levels of security, technology, and legal weight.

Here is a side-by-side comparison:

Feature	Electronic Signature (e-Signature)	Digital Signature (Cryptographic)
Definition	A broad category representing any digital markup indicating intent to sign (e.g., a scanned image, a clicked check-box, a typed name).	A highly secure type of e-signature based on asymmetric cryptography and Public Key Infrastructure (PKI).
Security	Low. Easy to forge or copy. Does not offer built-in tamper detection.	High. Extremely difficult to forge. Features automated mathematical tamper detection.
Verification	No formal verification of the signer’s physical identity by an independent authority.	Signer’s identity is verified by a licensed government Certifying Authority (CA) beforehand.
Standard Format	Proprietary to the platform (e.g., standard DocuSign, HelloSign markups).	Standardized format (PKCS#7 / PAdES) compatible with Adobe Acrobat, MCA, and global readers.
Legal Validity	Limited. Can be disputed in court. Not accepted for government filings.	High. Statutorily backed by the IT Act, 2000. Accepted for all government filings.

---

4. Classes of Digital Signature Certificates (DSC) in India

In India, Digital Signature Certificates (DSCs) are issued by private Certifying Authorities licensed by the Controller of Certifying Authorities (CCA) under the Ministry of Electronics and Information Technology (MeitY).

Historically, DSCs were divided into three classes based on the level of identity verification involved. However, the system has been updated:

• Class 1 (Deprecated): Verified only an individual’s email address. It did not verify physical identity and offered low security. It has been completely deprecated.
• Class 2 (Deprecated): Verified identity based on database matches (e.g., PAN or Aadhaar verification). Class 2 certificates were widely used for Income Tax and GST filings but were deprecated in March 2021 to elevate national security standards.
• Class 3 (The Current Mandate): The highest and now only standard Class of DSC issued in India. To secure a Class 3 DSC, the applicant must undergo a rigorous identity verification process including:
  • Paperless Aadhaar/PAN online verification.
  • Mobile OTP verification.
  • Mandatory live video verification where the applicant must show their original documents on camera and state their intent.

[!IMPORTANT] A Class 3 DSC is legally mandatory for all MCA corporate registrations (SPICe+, FiLLiP), Income Tax filing (ITR), GST filing, e-Tendering, DGFT (Directorate General of Foreign Trade) applications, and Trademark/Patent filings in India.

---

5. Legal Validity of Digital Signatures under Indian Law

One of the most common questions entrepreneurs ask is: Is a digital signature as legally binding as a handwritten one?

Yes. In India, digital signatures have absolute legal equivalence to traditional handwritten signatures.

The Information Technology (IT) Act, 2000

Under Section 4 and Section 5 of the IT Act, 2000, the Indian government grants legal recognition to electronic records and digital signatures. It states that where any law requires a physical signature, a digital signature that complies with asymmetric cryptography and is issued by a licensed CA satisfies that requirement.

Furthermore, under the Indian Evidence Act, 1872 (Section 65B), digitally signed documents are admissible as primary electronic evidence in a court of law, providing strong legal protection against contractual disputes.

Important Exceptions: What CANNOT Be Signed Digitally

Despite their broad legal validity, the First Schedule of the IT Act, 2000, specifically lists certain documents that cannot be signed digitally. These documents still require physical ink signatures on paper:

1. Negotiable Instruments (Other than a check) such as a Promissory Note or a Bill of Exchange.
2. Power of Attorney (PoA): A document authorizing someone to act on another’s behalf (especially in property matters).
3. Trust Deeds: Documents establishing a trust.
4. Wills and testamentary dispositions.
5. Real Estate Contracts: Any contract for the sale or transfer of immovable property or interest in such property.

---

6. How to Obtain a Class 3 DSC in India: The Step-by-Step Process

Securing a Class 3 Digital Signature Certificate is a quick and paperless process that can be completed online in under 30 minutes with a professional registration partner.

Step 1: Partner with a Certified Provider or CA

Reach out to an authorized certifying provider linked with licensed Certifying Authorities (CAs) in India (such as eMudhra, Capricorn, VSign, or Protean/NSDL).

Step 2: Select the DSC Type

Choose the configuration based on your needs:

• Signing Only: Suitable if you only need to sign documents (e.g., MCA company registration, ITR, GST).
• Signing & Encryption: Mandatory for e-Tendering and government bidding auctions.

Step 3: Complete Identity & Video Verification

1. Input your PAN, Aadhaar number, email, and mobile number.
2. Verify using Aadhaar-linked OTP.
3. Record Video: Click the link sent to your phone to record a brief 20-second video. On-camera, you must read a statement showing your face, PAN card, and Aadhaar card clearly.

Step 4: Secure the Hardware USB Token (Cryptographic Token)

Once the CA verifies your video and documents, the DSC is approved.

1. The digital signature certificate must be downloaded onto a secure, FIPS-compliant hardware USB cryptographic token (typically the ePass2003 Auto token).
2. The USB token must be plugged into your computer whenever you need to digitally authorize forms or sign PDFs.

---

7. Comprehensive FAQ: Digital Signatures in India

1. What is a cryptographic USB token and why is it required?

A cryptographic USB token (like an ePass2003) is a physical, password-protected security hardware device. In India, the Controller of Certifying Authorities (CCA) mandates that private signing keys must never be stored directly on a computer hard drive, where they can be hacked or copied. Storing them on a cryptographic USB token ensures the private key cannot be exported or copied.

2. Can I use a digital signature on my mobile phone?

Generally, no. Standard Class 3 DSCs that reside on a physical USB hardware token require a computer USB port to run. However, for mobile-friendly signing, platforms like Aadhaar eSign allow citizens to sign documents remotely by entering an Aadhaar-linked OTP, which triggers a one-time digital signature in the cloud.

3. What is the validity of a Class 3 DSC?

In India, Class 3 DSCs can be issued with a validity of 1 Year, 2 Years, or 3 Years. Once the validity period expires, the certificate must be renewed through identity re-verification.

4. Can a single DSC be used for both personal and company work?

A Class 3 DSC is issued in the personal name of the individual.

• Individual DSC: Contains your personal identity. It can be used for ITR filing, GST filing, and acting as a director/subscriber for company incorporation.
• Organization DSC: Contains both your name and your company’s legal name. It is mandatory for company-specific actions like e-Tendering, customs, and corporate bidding.

5. What happens if I forget my USB token password?

The cryptographic USB token has a security feature: if you enter the wrong PIN/password 10 consecutive times, the token will lock and block access. You will have to use an admin key or return the token to your service partner to reset and re-download the certificate.

6. Can I copy the digital signature from one USB token to another?

No. By design, the private key stored inside a FIPS-compliant cryptographic USB token is non-exportable and write-protected. It cannot be copied, duplicated, or transferred to another device.

7. What is the difference between a Digital Signature and a Digital Signature Certificate (DSC)?

• Digital Signature: The mathematical cryptographic technology used to sign and lock a document.
• Digital Signature Certificate (DSC): The digital identity file issued to you by the Certifying Authority that validates your identity and links it to your public key.

8. How many documents can I sign with a single Class 3 DSC?

There is no limit. You can sign an unlimited number of PDFs, MCA forms, ITRs, and documents as long as your certificate remains active and valid.

9. What should I do if I lose my physical USB token?

If you lose your physical USB token, you must treat it like a lost credit card. Contact your certifying partner immediately to revoke/cancel the active certificate to prevent unauthorized use. You will then need to apply for a fresh Class 3 DSC.

10. Can I sign a scanned image of a document digitally?

Yes. You can digitally sign scanned JPEG or PDF documents. However, the signature only validates that the file has not been altered after the signature was applied. It does not validate the content written on the paper before scanning.

11. Is a digital signature accepted by foreign banks and embassies?

Yes. Standard Class 3 digital signatures in India use internationally recognized cryptographic formats (PKI, PAdES) that conform to global security standards, making them acceptable by foreign banks, embassies, and immigration agencies (like USCIS).

12. Can two directors share the same USB token for company work?

Absolutely not. Sharing a USB token is equivalent to sharing your handwritten signature. Every director must obtain their own unique Class 3 DSC in their own name to ensure individual accountability under corporate law.

13. What is a green checkmark on a signed PDF?

When you open a digitally signed PDF inside Adobe Acrobat Reader, the software automatically verifies the signature against global trust lists. If the signature is valid, it displays a “Signature Valid” green checkmark. If it shows a yellow question mark, it means you must add the certifying authority to your trusted identities list.

14. What are the key Certifying Authorities (CAs) in India?

Some of the most popular licensed CAs in India include:

• eMudhra
• Capricorn
• VSign
• Protean (NSDL)
• Sify

15. Do I need to be physically present to get a Class 3 DSC?

No. The entire application and verification process is completely remote. You can complete the identity upload and record the video verification from your smartphone or laptop from the comfort of your home.

---

Conclusion: Securing Your Digital Corporate Identity

As business operations move toward a completely paperless future, understanding and utilizing digital signatures is no longer optional. It is an essential administrative tool that protects your corporate contracts from tampering, ensures your legal filings are approved without delay, and streamlines your offboarding and compliance workflows.

Securing a Class 3 DSC, selecting the correct hardware token, and managing the video verification process require professional support to prevent verification errors and application rejections.

At Kaagzaat, we help business owners, founders, and operators establish their secure corporate identity. From procuring Class 3 DSCs and USB tokens for your board of directors to managing company registrations, trademark applications, and annual ROC filings, our experienced CAs and CSs handle the paperwork so you can focus on building your startup.

Disclaimer: This guide is intended solely for educational purposes and does not represent professional legal counsel. Always consult with a qualified cybersecurity expert or corporate lawyer for specific legal advice.