In accordance with section 20 (1) of the Electronic
Transactions Ordinance (Cap. 553) ("Ordinance"), certification
authorities ("CA") may seek recognition from the Government Chief Information Officer ("GCIO"). On application
by a CA, the GCIO may grant recognition under the Ordinance
to the CA and to all certificates, or a particular type,
class or description of certificates or a particular certificate
issued or to be issued by the CA.
Recognition shall only be granted to those
CAs that have achieved a standard acceptable to the Government
of the Hong Kong Special Administrative Region.
Section 21(4) of the Ordinance states that in determining
whether the applicant is suitable for recognition, the GCIO
shall, in addition to any other matter the GCIO considers
relevant, take into account the following -
- whether the applicant has the appropriate financial status
for operating as a recognized CA in accordance with the Ordinance
and the Code
of Practice for Recognized Certification Authorities ("Code of Practice");
- the arrangements put in place or proposed to be put in
place by the applicant to cover any liability that may
arise from its activities relevant for the purposes of
the Ordinance;
- the system, procedure, security arrangements and standards
used or proposed to be used by the applicant to issue
certificates to subscribers;
- the report, referred to in section 20(3)(b) of the Ordinance, which contains an assessment as to whether the applicant is capable of complying with the provisions of the Ordinance and of the Code of Practice as are specified in the Code of Practice (such provisions are specified under paragraph 1 of Appendix 2 of the Code of Practice); or
the statutory declaration, referred to in section 20(3)(c) of the Ordinance, which states whether the applicant is capable of complying with the provisions of the Ordinance and of the Code of Practice as are specified in the Code of Practice (such provisions are specified under paragraph 2 of Appendix 2 of the Code of Practice);
- whether the applicant and its responsible officers are
fit and proper persons; and
- the reliance limits set or proposed to be set by the
applicant for its certificates.
The assessment report
Section 20(3)(b) of the Ordinance states
that a CA applying for recognition must furnish to the GCIO
a report containing an assessment as to whether the CA is
capable of complying with the provisions of the Ordinance and of the Code of Practice as are specified in the Code of Practice (such provisions are specified under paragraph 1 of Appendix 2 of the Code of Practice). The report shall
be prepared by a person approved by the GCIO as being
qualified to make such a report. Qualifications of the person
are set out in section 12 of the Code
of Practice. A CA shall apply in writing to the GCIO
for approval that the person whom the CA intends to engage
for the preparation of an assessment report is a qualified
person under the Ordinance, and furnish the GCIO with
the required documents and information
in respect of the application.
Validity period for recognition of
a CA
The validity period for recognition of a
CA will normally be two years. The recognized CA may apply
to the GCIO for renewal of the recognition. In accordance
with section 27(2) of the Ordinance, an application for renewal
must be made at least 30 days before but not earlier than
60 days before the expiry of the period of validity of the
recognition.
Recognition of certificates
A recognized CA may apply to the GCIO
for recognition of some or all of its certificates. If the
CA is not yet a recognized CA, the CA shall submit an application
for recognition for itself as well as for its certificates.
The recognition of the certificates will only be considered
after the GCIO has granted recognition to the CA concerned.
In general, as long as a recognized CA maintains
its recognition status, the recognition status of a recognized
certificate issued by the recognized CA will not change provided
that the relevant certification practice statement (CPS),
including the relevant certificate policy that governs the
recognized certificate, has not materially changed.
Section 22(5) of the Ordinance states that
for the recognition of a particular certificate or a type,
class or description of certificates, the GCIO shall,
in addition to any other matter the GCIO considers relevant,
take into account the following -
whether the certificate(s) are issued in accordance with
the recognized CA's CPS;
whether the certificate(s) are issued in accordance with
the Code of Practice;
the reliance limit set or proposed to be set for that
particular certificate, or that type, class or description
of certificates, as the case may require; and
the arrangements put in place or proposed to be put in
place by the recognized CA to cover any liability that
may arise from the issue of that particular certificate,
or that type, class or description of certificates, as
the case may be.
Recognition of CAs and certificates are governed under relevant
provisions of the Ordinance.
Note:
The information in this web page is not intended
to affect your rights and obligations. It is not intended
to be relied upon as a statement of the legal position and
you should consult your legal adviser before acting upon the
information.
|