Re: [ilugd] DSC Registration for efiling
I don't think the key gets uploaded to their site but only to the Java Applet which runs inside your browser and is only used to sign the document you are trying to upload. Regards -Tarun ___ Ilugd mailing list Ilugd@lists.linux-delhi.org http://frodo.hserus.net/mailman/listinfo/ilugd
Re: [ilugd] DSC Registration for efiling
It is really strange that the income tax seeks the private key besides the public. This in effect nullifies authenticity vis-a-vis the whole concept of digitally signing document/ e-return. This issue should certainly be raised with income tax officials. Kamal Dave Advocate On Mon, Aug 1, 2011 at 9:51 PM, Mahesh T. Pai paiva...@gmail.com wrote: Anand Shankar said on Sun, Jul 31, 2011 at 11:17:42AM +0530,: Have any of you done your income tax efiling with digital signature? What is the cost of a signature authentication from a what-are-those-guys-called? Strangely it asks you to register your digital signature certificate (DSC) before you proceed. That appears to be genuine that they want my CA certified Public Key and digital signature. What appears to be strange is that they are asking to upload the DSC through a .pfx file or the usb token. If u see the standards .pfx file is a pkcs12 file which contains the public key as well as the private key!! Am i wrong that innocent guys must have uploaded their private keys to the income tax department? Looks more like a case of misapplied standards - probably, non-free apps on non-free OSes (obviously) do not comply with the standards. I wish to stand corrected. -- Mahesh T. Pai || The greatest enemy of knowledge is not ignorance, it is the illusion of knowledge. --Stephen hawking ___ Ilugd mailing list Ilugd@lists.linux-delhi.org http://frodo.hserus.net/mailman/listinfo/ilugd ___ Ilugd mailing list Ilugd@lists.linux-delhi.org http://frodo.hserus.net/mailman/listinfo/ilugd
Re: [ilugd] DSC Registration for efiling
On Tue, Aug 2, 2011 at 1:20 PM, Kamal Dave kamal.dave@gmail.com wrote: This in effect nullifies authenticity vis-a-vis the whole concept of digitally signing document/ e-return. This issue should certainly be raised with income tax officials. Don't you think news in paper will be more effective than dealing with official of IT department? -- H.S.Rai ___ Ilugd mailing list Ilugd@lists.linux-delhi.org http://frodo.hserus.net/mailman/listinfo/ilugd
Re: [ilugd] DSC Registration for efiling
If any of you wish you write a feature on the same, I am willing to publish it on Hindustan Times. Regards, *Shayon Pal** Twitter:* @shayonpal http://twitter.com/shayonpal *Flickr:* http://www.flickr.com/photos/shayon/ *Mob:* +91 99589 46497 *BB PIN:* 2373AA31 On Tue, Aug 2, 2011 at 4:00 PM, H.S.Rai hardeep@gmail.com wrote: On Tue, Aug 2, 2011 at 1:20 PM, Kamal Dave kamal.dave@gmail.com wrote: This in effect nullifies authenticity vis-a-vis the whole concept of digitally signing document/ e-return. This issue should certainly be raised with income tax officials. Don't you think news in paper will be more effective than dealing with official of IT department? -- H.S.Rai ___ Ilugd mailing list Ilugd@lists.linux-delhi.org http://frodo.hserus.net/mailman/listinfo/ilugd ___ Ilugd mailing list Ilugd@lists.linux-delhi.org http://frodo.hserus.net/mailman/listinfo/ilugd
Re: [ilugd] DSC Registration for efiling
On Sun, Jul 31, 2011 at 11:17 AM, Anand Shankar anandshankar.em...@gmail.com wrote: What appears to be strange is that they are asking to upload the DSC through a .pfx file or the usb token. If u see the standards .pfx file is a pkcs12 file which contains the public key as well as the private key!! Am i wrong that innocent guys must have uploaded their private keys to the income tax department? I wish to stand corrected. Just took a closer look at http://hcpldsc.com/IT%20returns%20pdf/IT%20Return%20Without%20E-Token.pdf and it looks like although the private key is uploaded it still asks for its passphrase ( shown with password dialog in pdf ) So, unless your private key isn't passphrase protected, you're really giving it away. I am still not comfortable to see that our key goes on that site; unless they are flushing out all keys after filing / like 24 hours. Any ideas anyone? Hoping all DSC's, when created are passphrase protected ( I see a password written on my USB token :D ) and I'm sure everyone in my CA's office knows my token password. FacePunch :X -- Srikrishna Das (krish at irc.freenode.net) ___ Ilugd mailing list Ilugd@lists.linux-delhi.org http://frodo.hserus.net/mailman/listinfo/ilugd
Re: [ilugd] DSC Registration for efiling
On Tue, Aug 2, 2011 at 5:44 PM, krish wrote: If u see the standards .pfx file is a pkcs12 file which contains the public key as well as the private key!! Am i wrong that innocent guys must have uploaded their private keys to the income tax department? I wish to stand corrected. Just took a closer look at http://hcpldsc.com/IT%20returns%20pdf/IT%20Return%20Without%20E-Token.pdf and it looks like although the private key is uploaded it still asks for its passphrase ( shown with password dialog in pdf ) Thats a good illustration of using a .pfx file for DSC registration. But come on, all that encrypted keys are being taken as secure with a simple password acting as the watchguard !! We all are too familiar with the secure password keeping and the simple default passwords kept by so many. I still do not believe that a Private Key needs to be uploaded in any case. There is still something missing because Department of Income Tax has also published a writeup for registering DSCs. https://incometaxindiaefiling.gov.in/portal/downloads10-11/itr/Procedure for Registration of Digital Signature and Upload of Income Tax Returns using Digital Signature.pdf On Page 3 and 4 of this document they also mention the new Interoperability guidelines issued by CCA, Govt of India. In essence, what they say is that the DSC .pfx file should include the PAN number encrypted. http://cca.gov.in/rw/resource/dsc_guidelines_r2_4.pdf?download=true On Page 50 of this document it states, for the Serial Number Attribute of the end user DSC: This attribute should be populated with the SHA 256 hash of the PAN number of the end user. The hash must be calculated for the PAN number after deleting all leading and trailing blanks. In case PAN has not been provided, this field must be omitted It seems, DSCs are still being issued without PAN encryption as required above, nor there is guidance as to how to do it. I am doubly sure that CCA can not make this mistake of approving uploading Private Keys. But perhaps there are'nt as many technically aware users who tried this route, so might have erred in their procedure. I wont suggest jumping to a conclusion right away, but perhaps some more experienced users can throw some light. Since I tried, there are some issues for the FOSS guys to take note of: 1. The site application requires Sun JRE. I ignored this, assuming that the applet can run based on Icedtea / openjdk that my Fedora 14 system has, is a good and acceptable FOSS alternate. It was able to successfully upload the DSC, but could not sign the XML. It generated an error stating Unexpected error: netscape.javascript.JSObject cannot be cast to java.lang.String . On my Ubuntu 10.04 however, I could'nt even upload the DSC. 2. There is an excellent tool KeyManager, which is a Firefox addon [ https://addons.mozilla.org/en-US/firefox/addon/key-manager/ ]. This includes an excellent writeup on the whole process and is a must read. Sudev: Please refer http://www.cryer.co.uk/file-types/p/pfx.htm for PFX primer. PFX and PKCS#12 are related, in fact the Wikipedia article on the subject PKCS says that PFX is a predecessor to PKCS#12. For more details: http://msdn.microsoft.com/en-us/library/ms867088.aspx Here it also says that you can export a .pfx file without the Private Key. End of the day, it still seems, implementations of digital signing of Web based forms, need to have a more closer look for safety and more User Friendly documents need to be in place. anand ___ Ilugd mailing list Ilugd@lists.linux-delhi.org http://frodo.hserus.net/mailman/listinfo/ilugd
Re: [ilugd] DSC Registration for efiling
Anand Shankar said on Sun, Jul 31, 2011 at 11:17:42AM +0530,: Have any of you done your income tax efiling with digital signature? What is the cost of a signature authentication from a what-are-those-guys-called? Strangely it asks you to register your digital signature certificate (DSC) before you proceed. That appears to be genuine that they want my CA certified Public Key and digital signature. What appears to be strange is that they are asking to upload the DSC through a .pfx file or the usb token. If u see the standards .pfx file is a pkcs12 file which contains the public key as well as the private key!! Am i wrong that innocent guys must have uploaded their private keys to the income tax department? Looks more like a case of misapplied standards - probably, non-free apps on non-free OSes (obviously) do not comply with the standards. I wish to stand corrected. -- Mahesh T. Pai || The greatest enemy of knowledge is not ignorance, it is the illusion of knowledge. --Stephen hawking ___ Ilugd mailing list Ilugd@lists.linux-delhi.org http://frodo.hserus.net/mailman/listinfo/ilugd
Re: [ilugd] DSC Registration for efiling
Wouldn't be surprised if they expect you to give up your private key, it would be rather typical :) On Sun, Jul 31, 2011 at 11:17 AM, Anand Shankar anandshankar.em...@gmail.com wrote: Have any of you done your income tax efiling with digital signature? Strangely it asks you to register your digital signature certificate (DSC) before you proceed. That appears to be genuine that they want my CA certified Public Key and digital signature. What appears to be strange is that they are asking to upload the DSC through a .pfx file or the usb token. If u see the standards .pfx file is a pkcs12 file which contains the public key as well as the private key!! Am i wrong that innocent guys must have uploaded their private keys to the income tax department? I wish to stand corrected. Anand -- Sent from my mobile device ___ Ilugd mailing list Ilugd@lists.linux-delhi.org http://frodo.hserus.net/mailman/listinfo/ilugd -- What happens when an unstoppable force meets an immovable object? One of them has its illusions dispelled Arjun Venkatraman E-mail: ar...@arjunvenkatraman.com Mob (US): +1 *(650) 924-2751 https://www.google.com/voice#phones* Mob (IN): +91 9811142825 Arjun Online: http://www.arjunvenkatraman.com ___ Ilugd mailing list Ilugd@lists.linux-delhi.org http://frodo.hserus.net/mailman/listinfo/ilugd
[ilugd] DSC Registration for efiling
Have any of you done your income tax efiling with digital signature? Strangely it asks you to register your digital signature certificate (DSC) before you proceed. That appears to be genuine that they want my CA certified Public Key and digital signature. What appears to be strange is that they are asking to upload the DSC through a .pfx file or the usb token. If u see the standards .pfx file is a pkcs12 file which contains the public key as well as the private key!! Am i wrong that innocent guys must have uploaded their private keys to the income tax department? I wish to stand corrected. Anand -- Sent from my mobile device ___ Ilugd mailing list Ilugd@lists.linux-delhi.org http://frodo.hserus.net/mailman/listinfo/ilugd