Disclosure Records of Recognized Certification Authorities

Disclosure Record for Digi-Sign Certification Services Limited

(This is page 11 of the disclosure record for Digi-Sign Certification Services Limited ("Digi-Sign") maintained by the Government Chief Information Officer ("GCIO") under section 31(1) of the Electronic Transactions Ordinance (Cap. 553) ("Ordinance"). Click this link to go back to page 1 of the disclosure record.)

Assessment Report and Statutory Declaration in respect of the Issuance of Organizational ID-Cert Class 5 Certificate

Digi-Sign planned to issue a new type of organizational certificate called Organizational ID-Cert Class 5 certificate. The issuance of Organizational ID-Cert Class 5 certificate would involve a) enhancements to the CA Administration System, b) different procedures to process the certificate application, c) different procedures to verify the identity of the new entities (i.e. Authorized Representative and Authorized User), d) different ways to issue and accept the certificate by the subscriber and e) different initiator for certification revocation.

The GCIO considered that the changes as set out in the preceding paragraph as major changes. In this light, the GCIO had, by notice given to Digi-Sign, required Digi-Sign to furnish to the GCIO an assessment report and a statutory declaration pursuant to section 43A(1) of the Ordinance. In this connection, Digi-Sign arranged the preparation of an assessment report produced by an independent assessor as well as furnished a statutory declaration made by a responsible officer of Digi-Sign in respect of the issuance of Organizational ID-Cert Class 5 certificate.

In accordance with section 43A(3) of the Ordinance, the GCIO must publish in the disclosure record for Digi-Sign as a recognized certification authority ("CA") the dates of and the material information in the assessment report and statutory declaration on the CA services of Digi-Sign. Only those parts of the report and statutory declaration containing material information are herewith published.

Assessment Report

(A)  Date of the Report

• The date of the report is 12 October 2005.

(B)  Material Information

     Recognized CA Practices

1. In the assessor's opinion, having regard to Digi-Sign's planned issuance of Organizational ID-Cert Class 5 certificate, in all material respects,

   1. the management assertions in respect of Digi-Sign's capability to comply with the sections of the Code of Practice (see Note 1) set out in Appendix III (see Note 2) of the assessment report as at the date of assessment, 7 October 2005, are reasonable. In particular, Digi-Sign is capable of:

      1. disclosing its business practices in its CPS (see Note 3) in accordance with the Ordinance and the Code of Practice and providing its services in accordance with its disclosed business practices;

      2. complying with the requirements in respect of the use of a trustworthy system to support its operations in accordance with section 37 of the Ordinance and the Code of Practice; and

      3. complying with the requirements in respect of recognition of its certificates in accordance with sections 36, 39, 40, 44 and 45(1) of the Ordinance and the Code of Practice;

   2. no information came to the attention of the assessor during the course of the assessment that would indicate that the management assertions in respect of Digi-Sign's capability to comply with the sections of the Code of Practice set out in Appendix IV (see Note 4) of the assessment report as at the date of assessment, 7 October 2005, are not reasonable; and

   3. based on the conclusions drawn in paragraphs (a) and (b) above, the management assertions in respect of Digi-Sign's capability to comply with the provisions of the Ordinance applicable to a recognized CA are reasonable.

   Potential Liabilities

2. In the assessor's opinion, in all material respects, the management assertions that Digi-Sign has implemented and maintained appropriate procedures to determine and manage its potential liabilities in relation to the issuance of certificates are reasonable.

(C)  Additional Material Information Provided by the Assessor

• The assessor confirmed that the assessment has covered the provisions of the Ordinance and of the Code of Practice which have not been explicitly mentioned in the assessment report. Furthermore, the assessor has also confirmed that, after reviewing these provisions, they considered that these provisions would not cause any impact to the conclusion in the assessment report.

Statutory Declaration

(A)  Date of the Declaration

• The date of the declaration is 7 October 2005.

(B)  Material Information

• Having regard to Digi-Sign's planned issuance of Organizational ID-Cert Class 5 certificate, a responsible officer of Digi-Sign verily believed that Digi-Sign was capable of complying with the provisions of the Ordinance and the Code of Practice, as specified in paragraph 2 of Annex II of the GCIO notice (see Note 5).

Notes

1. Code of Practice for Recognized Certification Authorities published by the GCIO under section 33 of the Ordinance.

2. The Appendix III of the assessment report is extracted as follows:

   Relevant Provisions of the Code of Practice General Responsibilities of a Recognized CA: Paragraphs 3.2, 3.5 and 3.8. Certificate Practice Statement: Paragraphs 4.1 to 4.6 inclusive, 4.8 to 4.10 inclusive, 4.12 and 4.13. Trustworthy System: Paragraphs 5.1, 5.6, 5.7, 5.9, 5.10, 5.12 to 5.15 inclusive and 5.19 to 5.21 inclusive. Certificates and Recognized Certificates: Paragraphs 6.1 to 6.8 inclusive and 6.10 to 6.23 inclusive. Verification of Subscriber's Identity: Paragraphs 7.1 and 7.2. Reliance Limit and Liability Cover: Paragraphs 8.1 and 8.2. Repositories: Paragraphs 9.1, 9.3 and 9.5. Disclosure of Information: Paragraph 10.1. Inter-operability: Paragraph 15.2. All paragraphs in Appendix 1 of the Code of Practice.

3. Certification practice statement.

4. The Appendix IV of the assessment report is extracted as follows:

   Relevant Provisions of the Code of Practice General Responsibilities of a Recognized CA: Paragraphs 3.3 and 3.6. Trustworthy System: Paragraphs 5.11, 5.16 and 5.17. Reliance Limit and Liability Cover: Paragraphs 8.3 and 8.4. Repositories: Paragraphs 9.2 and 9.4. Inter-operability: Paragraph 15.1.

5. Paragraph 2 of Annex II of the GCIO notice is reproduced below for reference:
    

   2	For the purpose of section 43A(1)(d)(i) of the Ordinance
   2.1	A responsible officer of Digi-Sign Certification Services Limited ("Digi-Sign") shall make a statutory declaration which states that, having regard to the major change that will occur, Digi-Sign is capable of complying with the following provisions of the Ordinance. Part VII - Recognition of CAs and Certificates by GCIO: Section 21(4)(e).
   2.2	A responsible officer of Digi-Sign shall make a statutory declaration which states that, having regard to the major change that will occur, Digi-Sign is capable of complying with the following provisions of the Code of Practice. General Responsibilities of a Recognized CA: Paragraphs 3.7 and 3.9. Trustworthy System: Paragraph 5.18. Disclosure of Information: Paragraphs 10.7 to 10.9 inclusive. Consumer Protection: Paragraph 16.1.

6. The notes in the above paragraphs are disclosed in accordance with section 31(2) of the Ordinance.