Disclosure Records of Recognized Certification Authorities

Disclosure Record for Digi-Sign Certification Services Limited

(This is page 25 of the disclosure record for Digi-Sign Certification Services Limited (Digi-Sign) maintained by the Government Chief Information Officer (GCIO) under section 31(1) of the Electronic Transactions Ordinance (Cap. 553) (ETO).Click this link to go back to page 1 of the disclosure record.)

Assessment Report and Statutory Declaration in respect of the Issuance of Personal ID-Cert Class 8 Certificate and Organizational ID-Cert Class 9 Certificate

Digi-Sign planned to issue two new types of recognized certificates, namely Personal ID-Cert Class 8 certificate and Organizational ID-Cert Class 9 certificate. These certificates would also participate in the mutual recognition scheme under the "Arrangement for Mutual Recognition of Electronic Signature Certificates Issued by Hong Kong and Guangdong".

The GCIO considered that the changes involved in the issuance of the new certificates as major changes. In this light, the GCIO had, by notices given to Digi-Sign, required Digi-Sign to furnish to the GCIO an assessment report and a statutory declaration pursuant to section 43A(1) of the ETO. In this connection, Digi-Sign arranged the preparation of an assessment report produced by an independent assessor as well as furnished a statutory declaration made by a responsible officer of Digi-Sign in respect of the issuance of Personal ID-Cert Class 8 certificate and Organizational ID-Cert Class 9 certificate.

In accordance with section 43A(3) of the ETO, the GCIO must publish in the disclosure record for Digi-Sign as a recognized certification authority (CA) the dates of and the material information in the assessment report and statutory declaration. Only those parts of the report and statutory declaration containing material information are herewith published.

Assessment Report

(A)  Date of the Report

• The date of the report is 26 May 2014.

(B)  Material Information

       Recognized CA practices

1. In the assessor's opinion, having regard to Digi-Sign's planned issuance of Personal ID-Cert Class 8 certificate and Organizational ID-Cert Class 9 certificate, in all material respects,

   1. the management assertions in respect of Digi-Sign's capability to comply with the sections of the ETO and the Code of Practice (see Note 1) set out in Appendix 3 (see Note 2) of the assessment report are reasonable. In particular, Digi-Sign is capable of:

      1. disclosing its business practices in its CPS(s) (see Note 3) in accordance with the ETO and the Code of Practice and providing its services in accordance with its disclosed business practices;
      2. complying with the requirements in respect of the use of a trustworthy system to support its operations in accordance with sections 21(4)(b), (c) and (f) and 37 of the ETO and the Code of Practice; and
      3. complying with the requirements in respect of recognition of its certificates in accordance with sections 36, 37, 39, 40, 44 and 45(1) of the ETO and the Code of Practice;
   2. no information came to the attention of the assessor during the course of the assessment that would indicate that the management assertions in respect of Digi-Sign's capability to comply with the sections of the Code of Practice set out in Appendix 4 (see Note 4) of the assessment report are not reasonable;
   3. the management assertions in respect of compliance between Digi-Sign’s CPS(s) with all provisions of the Certificate Policy for Mutual Recognition of Electronic Signature Certificates (MRCP) are reasonable (see Note 5); and
   4. based on the conclusions drawn in paragraphs (a), (b) and (c) above, the management assertions in respect of Digi-Sign's capability to comply with the provisions of the ETO applicable to a recognized CA and the Code of Practice are reasonable and its capability to comply with all provisions in its CPS and the MRCP are reasonable.

   Potential liabilities
    

2. In the assessor's opinion, in all material respects, the management assertions that Digi-Sign has implemented and maintained appropriate procedures to determine and manage its potential liabilities in relation to the issuance of certificates are reasonable. 

(C)  Additional Material Information Provided by the Assessor

• The assessor confirmed that sections 46, 47 and 48 of the ETO as well as paragraphs 4.7, 4.11, 5.2, 5.3, 5.8 and 6.9 of the Code of Practice have been covered in the scope of the assessment. Furthermore, the assessor has also confirmed that after considering these provisions, in the opinion of the assessor, the management assertions in respect of Digi-Sign's compliance with the provisions of the ETO and of the Code of Practice as specified in the notices issued by the GCIO to Digi-Sign are reasonable.

Statutory Declaration

(A)  Date of the Statutory Declaration

• The date of the declaration is 6 June 2014.

(B)  Material Information

• Having regard to Digi-Sign's planned issuance of Personal ID-Cert Class 8 certificate and Organizational ID-Cert Class 9 certificate, a responsible officer of Digi-Sign declared that Digi-Sign was capable of complying with the provisions of the ETO, the Code of Practice and the Traditional Chinese version of the MRCP, as specified in paragraph 2 of Appendix I of the notices from GCIO dated 26 March 2013 and 10 September 2013 (see Note 6).

Notes

1. Code of Practice for Recognized Certification Authorities (version 3.0) issued under section 33 of the ETO.
2. The Appendix 3 of the assessment report is extracted as follows:

   Relevant Provisions of the ETO Part VII - Recognition of CAs and certificates by GCIO: Sections 21(4)(b), (c) and (f). Part X - General Provisions as to Recognized CAs: Sections 36, 37, 39, 40, 44 and 45(1). Relevant Provisions of the Code of Practice General Responsibilities of a Recognized CA: Paragraphs 3.1 to 3.2 inclusive, 3.4 to 3.5 inclusive and 3.8. Certification Practice Statement: Paragraphs 4.1 to 4.6 inclusive, 4.8 to 4.10 inclusive and 4.12 to 4.13 inclusive. Trustworthy System: Paragraphs 5.1, 5.6 to 5.7 inclusive, 5.9 to 5.10 inclusive, 5.12 to 5.15 inclusive and 5.19 to 5.21 inclusive. Certificates and Recognized Certificates: Paragraphs 6.1 to 6.8 inclusive and 6.10 to 6.23 inclusive. Verification of Subscriber's Identity: Paragraphs 7.1 to 7.2 inclusive. Reliance Limit and Liability Cover: Paragraphs 8.1 to 8.2 inclusive. Repositories: Paragraphs 9.1, 9.3 and 9.5. Disclosure of Information: Paragraphs 10.1. Inter-operability: Paragraph 15.2. Appendix 1: All relevant paragraphs in Appendix 1 of the COP, which are applicable to the requirements stipulated in the MRCP.

3. Certification Practice Statement (CPS).
4. The Appendix 4 of the assessment report is extracted as follows:

   Relevant Provisions of the Code of Practice General Responsibilities of a Recognized CA: Paragraphs 3.3 and 3.6. Trustworthy System: Paragraphs 5.11 and 5.16 to 5.17 inclusive. Reliance Limit and Liability Cover: Paragraphs 8.3 to 8.4 inclusive. Repositories: Paragraphs 9.2 and 9.4. Inter-operability: Paragraph 15.1.

5. With reference to the "Arrangement for Mutual Recognition of Electronic Signature Certificates Issued by Hong Kong and Guangdong" (in Chinese《粵港兩地電子簽名證書互認辦法》), please check the latest mutual recognition status of relevant digital certificates in the following trust list:

   Traditional Chinese: https://www.ogcio.gov.hk/tc/our_work/business/mainland/cepa/mr_ecert/trust_list/index.html Simplified Chinese: https://www.ogcio.gov.hk/sc/our_work/business/mainland/cepa/mr_ecert/trust_list/index.html English: https://www.ogcio.gov.hk/en/our_work/business/mainland/cepa/mr_ecert/trust_list/index.html

    

6. Paragraph 2 of Appendix I of the notices is reproduced below for reference:

   2. For the purpose of section 43A(1)(d)(i) of the ETO 2.1 A responsible officer of Digi-Sign Certification Services Limited (Digi-Sign) shall make a statutory declaration which states that, having regard to Digi-Sign’s planned issuance of the Personal ID-Cert Class 8 certificate and Organizational ID-Cert Class 9 certificate, Digi-Sign is capable of complying with the following provision of the ETO. Part VII - Recognition of CAs and Certificates by GCIO: Section 21(4)(e). 2.2 A responsible officer of Digi-Sign shall make a statutory declaration which states that, having regard to Digi-Sign’s planned issuance of the Personal ID-Cert Class 8 certificate and Organizational ID-Cert Class 9 certificate, Digi-Sign is capable of complying with the following provisions of the Code of Practice. General Responsibilities of a Recognized CA: Paragraphs 3.7 and 3.9. Trustworthy System: Paragraph 5.18. Disclosure of Information: Paragraphs 10.7 to 10.9 inclusive. Consumer Protection: Paragraph 16.1. 2.3 A responsible officer of Digi-Sign shall make a statutory declaration which states that, having regard to Digi-Sign’s planned issuance of the Personal ID-Cert Class 8 certificate and Organizational ID-Cert Class 9 certificate, Digi-Sign is capable of complying with the MRCP.

7. The notes in the above paragraphs are disclosed in accordance with section 31(2) of the ETO.