UIDAI

Introduction

ASA Eligibility Criteria

ASA Readiness Stages

ASA is any entity that transmits authentication requests to the CIDR on behalf of one or more AUAs. They play the role of enabling intermediaries. They have an established secure connection with the CIDR and convey AUAs’ authentication requests to the CIDR. ASAs receive CIDR’s response and transmit the same back to the AUA.

ASA Eligibility Criteria

The agency should either be

1. A Central/ State Government Ministry / Department or an undertaking owned and managed by Central / State Government OR
2. An Authority constituted under the Central / State Act OR
3. A Not-for-profit company / Special Purpose organization of national importance OR
4. A company registered in India under the Indian Companies Act 1956 meeting the following requirements:
   • Financial capabilities – An annual turnover of at least Rs. 100 crores in last three financial years, and
   • Technical capabilities:
     1. A Telecom Service Provider (TSP) operating pan India fibre optics network and should have a minimum of 100 MPLS Points of Presence (PoP) across all states OR
     2. Should be a Network Service Provider (NSP) capable of providing network connectivity for data, voice transmission and should have an agreement with the TSP having 100 MPLS PoPs OR
     3. System Integrator having necessary arrangement with TSP/NSP as described above
   • The agency should not have been blacklisted by Central / State Governments / PSUs of Central / State Governments in the last five years

The agency should give an undertaking and demonstrate the capability of design, configure, implement and maintain the infrastructure and systems required for an ASA as per UIDAI’s specifications and certify that necessary human resources with requisite skills are in place to perform the functions required as an ASA.

The decision of UIDAI regarding engagement of ASA shall be final.

Examples of ASAs:

An agency such as National Payments Corporation of India (NPCI) that is currently mandated as the umbrella organisation to operate the retail payment systems in the country

DIT/NIC that provides connectivity solutions to various Central and State Government ministries / departments

Telecom carriers, depository bodies etc that provide related services to multiple organizations

• Fill online application form - Any agency interested in becoming an ASA needs to apply online. UIDAI has an online workflow based application form for engaging with ASAs.
• Send signed contract and supporting documents to UIDAI - The ASA should send hardcopy of the signed contract along with required supporting documents to UIDAI. The online application would be approved by UIDAI upon receipt of the required documents.
• Establish leased line connectivity with CIDR - The ASA needs to draw secure leased line connectivity from its data centre to CIDR. The ASA should plan bandwidth, redundancy etc based on their business requirements.
• Ensure process and technology compliance- The ASA needs to setup necessary systems, processes, infrastructure etc. in compliance with UIDAI’s standards and specifications. Compliance to various requirements needs to be confirmed to UIDAI through the online application form.
• • Obtain approvals from UIDAI UIDAI would approve an ASA’s application form when various compliance requirements are met. An ASA should engage with UIDAI during the process and provide required clarifications.
• Carry out end-to-end testing- Approval from UIDAI allows an ASA to carry out end-to-end testing of their connectivity with the CIDR. Before going live, it is highly recommended that an ASA works with an AUA to carry out end-to-end testing of the connectivity from devices to AUA to ASA to CIDR and reverse response communication. An ASA should also carry out load testing to ensure bandwidth adequacy. The ASA would also need to get the systems related to Aadhaar authentication audited by information systems auditors certified by a recognized body before going live.
• Go-live- An ASA can go-live after confirmation of adherence to all UIDAI’s standards and specifications. UIDAI plans to manage the same through online workflow based application. In addition, an ASA can transmit authentication packet only after it engages with an AUA.
• Engage with AUAs - An ASA may enter into a formal contract with AUAs it supports. UIDAI has a set of proposed guidelines that may be included in the contract between an ASA and an AUA. However, the contract (and commercial terms, if any) between an ASA and an AUA is at the sole discretion of the signing parties and UIDAI does not have any responsibilities regarding same. Similarly, if an ASA provides any value added services to an AUA over and above Aadhaar authentication, UIDAI will not be party to any such services.

• Ensure compliance of authentication related operations (processes, technology, security, etc.) to UIDAI’s standards and specifications.
• Log and maintain details of all authentication transactions.
• Get its operations and systems related to Aadhaar Authentication audited as per UIDAI’s specifications.
• Perform basic checks on the authentication input and forward it to CIDR
• Transmit the result of the authentication transaction received from CIDR to the AUA that has placed the request
• Inform UIDAI of the engagement/ disengagement of AUAs that it serves
• Inform UIDAI of any misuse of Aadhaar data, authentication services, or any compromise of Aadhaar related data or systems.

Mandatory Security Requirements

• ASA can connect to the CIDR only through a leased line.
• The meta data and the responses should be logged for audit purposes.
• Encrypted PID block and license keys that came as part of authentication packet should never be stored anywhere in its system.
• Network between AUA and ASA should be secure.