Disclosure Records of Recognized Certification Authorities

Disclosure Record for Digi-Sign Certification Services Limited

(This is page 17 of the disclosure record for Digi-Sign Certification Services Limited ("Digi-Sign") maintained by the Government Chief Information Officer ("GCIO") under section 31(1) of the Electronic Transactions Ordinance (Cap. 553) ("Ordinance"). Click this link to go back to page 1 of the disclosure record.)

Assessment Report and Statutory Declaration (1 June 2008 - 31 May 2009)

In accordance with section 43(3) of the Ordinance, the GCIO must publish in the disclosure record for Digi-Sign as a recognized certification authority the dates of and the material information in the assessment report and statutory declaration on the certification authority ("CA") services of Digi-Sign. Only those parts of the report and statutory declaration containing material information are herewith published.

Assessment Report

(A)  Date of the Report

• The date of the report is 10 June 2009.

(B)  Material Information

1. The assessment report was prepared by the assessor for the period between 1 June 2008 and 31 May 2009.

   Recognized CA practices

2. In the assessor's opinion, in all material respects,

   1. the management assertions in respect of Digi-Sign's compliance with the sections of the Ordinance and the Code of Practice (see Note 1) set out in Appendix 4 (see Note 2) of the assessment report for the period from 1 June 2008 to 31 May 2009 are reasonable. In particular, Digi-Sign has:

      1. disclosed its business practices in its CPS(s) (see Note 3) in accordance with the Ordinance and the Code of Practice and provided its services in accordance with its disclosed business practices;
      2. complied with the requirements in respect of the use of a trustworthy system to support its operations in accordance with section 37 of the Ordinance and the Code of Practice; and
      3. complied with the requirements in respect of recognition of its certificates in accordance with sections 36, 39, 40, 44 and 45(1) of the Ordinance and the Code of Practice;
   2. no information came to the attention of the assessor during the course of the assessment that would indicate that the management assertions in respect of Digi-Sign's compliance with the sections of the Code of Practice set out in Appendix 5 (see Note 4) of the assessment report for the period from 1 June 2008 to 31 May 2009 are not reasonable; and
   3. based on the conclusions drawn in paragraphs (a) and (b) above, the management assertions in respect of Digi-Sign's compliance with the provisions of the Ordinance applicable to a recognized CA for the period from 1 June 2008 to 31 May 2009 are reasonable.

   Financial projections

3. In the assessor's opinion, in all material respects, the accounting policies upon which Digi-Sign's projected cashflow statements and projected balance sheets for the period from 1 May 2009 to 30 April 2010, and projection of operating costs for the next 90 days from 1 May 2009, in respect of the CA's operations relevant under the Ordinance are based, are consistent with those normally adopted by Digi-Sign and conform with generally accepted accounting principles adopted in Hong Kong, and the financial projections have been properly compiled on the basis of the assumptions made by management of Digi-Sign.
4. It has been ascertained from Digi-Sign that the amount of net current assets (i.e. current assets less current liabilities) as shown in the unaudited management accounts of Digi-Sign for the month ended 30 April 2009 was in a positive net current assets position. The amount of net current assets as shown in the unaudited management accounts of Digi-Sign for the month ended 30 April 2009 exceeds the 90-day projection of operating costs from 1 May 2009.

5. The assessor has not carried out any verification work on the unaudited management accounts of Digi-Sign for the month ended 30 April 2009.

   Potential liabilities

6. In the assessor's opinion, in all material respects, the management assertions that Digi-Sign has implemented and maintained appropriate procedures to determine and manage its potential liabilities in relation to the issue of certificates are reasonable.

(C)  Additional Material Information Provided by the Assessor

• The assessor has confirmed that sections 21(4)(a), (b), (c) and (f), 42(1) and (2), 46, 47 and 48 of the Ordinance as well as paragraphs 4.7, 4.11, 5.2, 5.3, 5.8 and 6.9 of the Code of Practice have been covered in the scope of the assessment. Furthermore, the assessor has also confirmed that after considering these provisions, in the opinion of the assessor, the management assertions in respect of Digi-Sign's compliance with the provisions of the Ordinance and of the Code of Practice as specified under paragraph 1 of Appendix 2 of the Code of Practice, which cover these provisions, are reasonable.

Statutory Declaration

(A)  Date of the Statutory Declaration

• The date of the declaration is 1 June 2009.

(B)  Material Information

• A responsible officer of Digi-Sign declares that Digi-Sign has, from 1 June 2008 until 31 May 2009, complied with the provisions of the Ordinance and the provisions of the Code of Practice which have been set out under paragraph 2 of Appendix 2 of the Code of Practice.

Notes

1. Version 2.1 of the Code of Practice for Recognized Certification Authorities issued under section 33 of the Ordinance.
2. The Appendix 4 of the assessment report is extracted as follows:

   Relevant Provisions of the Code of Practice General Responsibilities of a Recognized CA: Paragraphs 3.1 to 3.2 inclusive, 3.4 to 3.5 inclusive and 3.8. Certification Practice Statement: Paragraphs 4.1 to 4.6 inclusive, 4.8 to 4.10 inclusive and 4.12 to 4.13 inclusive. Trustworthy System: Paragraphs 5.1, 5.6 to 5.7 inclusive, 5.9 to 5.10 inclusive, 5.12 to 5.15 inclusive and 5.19 to 5.21 inclusive. Certificates and Recognized Certificates: Paragraphs 6.1 to 6.8 inclusive and 6.10 to 6.23 inclusive. Verification of Subscriber's Identity: Paragraphs 7.1 to 7.2 inclusive. Reliance Limit and Liability Cover: Paragraphs 8.1 to 8.2 inclusive. Repositories: Paragraphs 9.1, 9.3 and 9.5. Disclosure of Information: Paragraphs 10.1 to 10.3 inclusive. Termination of Service: Paragraphs 11.1 to 11.4 inclusive. Assessment of Compliance with the Ordinance and this Code of Practice: Paragraph 12.1. Inter-operability: Paragraph 15.2. Appendix 1 - Standards and Procedures regarding the Contents of Certification Practice Statements: All paragraphs in Appendix 1 of this Code of Practice.

3. Certification practice statement.
4. The Appendix 5 of the assessment report is extracted as follows: 

   Relevant Provisions of the Code of Practice General Responsibilities of a Recognized CA: Paragraphs 3.3 and 3.6. Trustworthy System: Paragraphs 5.11 and 5.16 to 5.17 inclusive. Reliance Limit and Liability Cover: Paragraphs 8.3 to 8.4 inclusive. Repositories: Paragraphs 9.2 and 9.4. Disclosure of Information: Paragraphs 10.4 to 10.6 inclusive. Termination of Service: Paragraph 11.5. Declaration of Compliance with the Ordinance and this Code of Practice: Paragraph 13.1. Adoption of Standards and Technology: Paragraph 14.1. Inter-operability: Paragraph 15.1.

5. The notes in the above paragraphs are disclosed in accordance with section 31(2) of the Ordinance.