Disclosure Records of Recognized Certification Authorities

Disclosure Record for Digi-Sign Certification Services Limited

(This is page 2 of the disclosure record for Digi-Sign Certification Services Limited ("Digi-Sign") maintained by the Government Chief Information Officer ("GCIO") under section 31(1) of the Electronic Transactions Ordinance (Cap. 553) ("Ordinance"). Click this link to go back to page 1 of the disclosure record.)

Assessment Report (26 July 2001 - 31 May 2002)

Digi-Sign became a recognized certification authority ("CA") under the Ordinance on 26 July 2001. In accordance with section 43(1) of the Ordinance, Digi-Sign must furnish to the GCIO an assessment report in respect of its CA services at least once in every 12 months.

In accordance with section 43(3) of the Ordinance, the GCIO must publish in the disclosure record for Digi-Sign the date of and the material information in the assessment report. Only those parts of the report containing material information are herewith published.

A. Date of the Report

• The date of the report is 25 June 2002.

B. Material Information

1. The assessment report is prepared by the assessor for the period between 26 July 2001 and 31 May 2002.

Recognized CA Operation

2. Except for the exceptions identified in the assessment report as set out in paragraph 7 below, the assessor has concluded that in all material respects :
   1. the management assertions by Digi-Sign in respect of Digi-Sign's compliance with the sections of Code of Practice for Recognized Certification Authorities ("Code of Practice") as set out in Part 3A of Appendix 3 to Practice Note 870 published by the Hong Kong Society of Accountants, for the period from 26 July 2001 to 31 May 2002 are reasonable. In particular, Digi-Sign has:
      1. disclosed its business practices in its Certification Practice Statements ("CPS") in accordance with the Ordinance and the Code of Practice and provided its services in accordance with its disclosed business practices;
      2. complied with the requirements in respect of the use of a trustworthy system to support its operations in accordance with section 37 of the Ordinance and the Code of Practice; and
      3. complied with the requirements in respect of recognition of its certificates in accordance with sections 36, 38, 39 and 40 of the Ordinance and the Code of Practice;
   2. no information came to the attention of the assessor during the course of the assessment that would indicate that the management assertions in respect of Digi-Sign's compliance with the sections of the Code of Practice as set out in Part 3B of Appendix 3 to Practice Note 870 for the period from 26 July 2001 to 31 May 2002 are not reasonable; and
   3. based on the conclusions drawn in (a) and (b) above, the management assertions in respect of Digi-Sign's compliance with the provisions of the Ordinance applicable to a recognized CA for the period from 26 July 2001 to 31 May 2002 are reasonable.

Financial projections

3. In the assessor's opinion, in all material respects, the accounting policies upon which Digi-Sign's cashflow projections and financial position forecasts for the period from 1 May 2002 to 30 June 2003, and projection of operating costs for the period from 1 May 2002 to 31 July 2002, in respect of Digi-Sign's operations relevant under the Ordinance are based, are consistent with those normally adopted by Digi-Sign and conform with generally accepted accounting principles adopted in Hong Kong, and the financial projections have been properly compiled on the basis of the assumptions made by management of Digi-Sign.
4. The amount of net current assets as shown in the unaudited management accounts of Digi-Sign for the period ended 30 April 2002 exceeds the 90-day projection of operating costs for the period from 1 May 2002 to 31 July 2002.
5. The assessor has not carried out any verification work on the unaudited management accounts of Digi-Sign.

Potential liabilities

6. In the assessor's opinion, in all material respects, the management assertions that Digi-Sign has implemented and maintained appropriate procedures to determine and manage its potential liabilities in relation to the issue of certificates are reasonable.

Exceptions

7. The following exceptions were noted by the assessor as incidents of non-compliance with the provisions of the Ordinance applicable to a recognized CA and the Code of Practice.

   	Exceptions	Response of Digi-Sign (as documented in the assessment report or subsequently reported by Digi-Sign)
   i.	There were 38 incidents where the time-stamps of receipt of the ID-Cert Revocation Requests were missing. In the Certification Practice Statement (version 1.9) of Digi-Sign, it states that "Digi-Sign will keep records of the time and date of receipt of a revocation request, and endeavour to process the revocation before the end of the next working day of its receipt at the Digi-Sign Office."	Digi-Sign confirmed that for all the 38 incidents, action was taken to ensure the certificates involved were properly revoked and published onto the Certificate Revocation List (CRL). The staff members of Digi-Sign assigned to timestamp all incoming correspondence from customers had been reminded to exercise more care in carrying out the procedures laid down and their supervisor had also instituted closer scrutiny.
   ii.	Digi-Sign did not publish its Certificate Revocation List (CRL) during non-working days for the period from 26 July 2001 to 20 November 2001, while the CPS requires Digi-Sign to update the CRL daily.	Digi-Sign confirmed that it had fully complied with its obligation to publish the CRL in accordance with the CPS in this aspect since 21 November 2001.
   iii.	Digi-Sign failed to conduct regular testing of its Business Continuity Plan (BCP) during the period being assessed. According to Digi-Sign's BCP, testing of the plan is to be conducted at 6-monthly intervals.	Digi-Sign confirmed that all the items stated in its BCP had been fulfilled after conducting an IT production system failure rehearsal and a drill on CA key compromise in June 2002 and August 2002 respectively. Digi-Sign will conduct disaster recovery drills on a regular basis as stated in its BCP.