On Tue, Aug 2, 2011 at 5:44 PM, krish wrote: >> If u see the standards .pfx file is a pkcs12 file which contains the >> public key as well as the private key!! >> Am i wrong that innocent guys must have uploaded their private keys to >> the income tax department? >> >> I wish to stand corrected. >> > > Just took a closer look at > http://hcpldsc.com/IT%20returns%20pdf/IT%20Return%20Without%20E-Token.pdf > and it looks like although the private key is uploaded it still asks > for its passphrase ( shown with password dialog in pdf )
Thats a good illustration of using a .pfx file for DSC registration. But come on, all that encrypted keys are being taken as secure with a simple password acting as the watchguard !! We all are too familiar with the secure password keeping and the simple default passwords kept by so many. I still do not believe that a Private Key needs to be uploaded in any case. There is still something missing because Department of Income Tax has also published a writeup for registering DSCs. https://incometaxindiaefiling.gov.in/portal/downloads10-11/itr/"Procedure for Registration of Digital Signature and Upload of Income Tax Returns using Digital Signature.pdf" On Page 3 and 4 of this document they also mention the new Interoperability guidelines issued by CCA, Govt of India. In essence, what they say is that the DSC .pfx file should include the PAN number encrypted. http://cca.gov.in/rw/resource/dsc_guidelines_r2_4.pdf?download=true On Page 50 of this document it states, for the Serial Number Attribute of the end user DSC: "This attribute should be populated with the SHA 256 hash of the PAN number of the end user. The hash must be calculated for the PAN number after deleting all leading and trailing blanks. In case PAN has not been provided, this field must be omitted" It seems, DSCs are still being issued without PAN encryption as required above, nor there is guidance as to how to do it. I am doubly sure that CCA can not make this mistake of approving uploading Private Keys. But perhaps there are'nt as many technically aware users who tried this route, so might have erred in their procedure. I wont suggest jumping to a conclusion right away, but perhaps some more experienced users can throw some light. Since I tried, there are some issues for the FOSS guys to take note of: 1. The site application requires Sun JRE. I ignored this, assuming that the applet can run based on Icedtea / openjdk that my Fedora 14 system has, is a good and acceptable FOSS alternate. It was able to successfully upload the DSC, but could not sign the XML. It generated an error stating " Unexpected error: netscape.javascript.JSObject cannot be cast to java.lang.String ". On my Ubuntu 10.04 however, I could'nt even upload the DSC. 2. There is an excellent tool KeyManager, which is a Firefox addon [ https://addons.mozilla.org/en-US/firefox/addon/key-manager/ ]. This includes an excellent writeup on the whole process and is a must read. Sudev: Please refer http://www.cryer.co.uk/file-types/p/pfx.htm for PFX primer. PFX and PKCS#12 are related, in fact the Wikipedia article on the subject PKCS says that PFX is a predecessor to PKCS#12. For more details: http://msdn.microsoft.com/en-us/library/ms867088.aspx Here it also says that you can export a .pfx file without the Private Key. End of the day, it still seems, implementations of digital signing of Web based forms, need to have a more closer look for safety and more "User Friendly" documents need to be in place. anand _______________________________________________ Ilugd mailing list Ilugd@lists.linux-delhi.org http://frodo.hserus.net/mailman/listinfo/ilugd
