Disclosure Records of Recognized Certification Authorities

Disclosure Record for Digi-Sign Certification Services Limited

(This is page 29 of the disclosure record for Digi-Sign Certification Services Limited (Digi-Sign) maintained by the Government Chief Information Officer (GCIO) under section 31(1) of the Electronic Transactions Ordinance (Cap. 553) (ETO). Click this link to go back to page 1 of the disclosure record.)

Assessment Reports and Statutory Declarations in respect of Relocation of Production Data Centre

Digi-Sign planned to relocate its production data centre on 18 February 2017.

The GCIO considered that the changes as set out in the preceding paragraph as major changes. In this light, the GCIO had, by notice given to Digi-Sign, required Digi-Sign to furnish to the GCIO two sets of assessment report and statutory declaration pursuant to section 43A(1) of the ETO. In this connection, Digi-Sign arranged the preparation of two assessment reports produced by an independent assessor as well as furnished two statutory declarations made by a responsible officer of Digi-Sign in respect of the relocation of production data centre. The first set of assessment report and statutory declaration was furnished before the relocation of the production data centre, while the second set of assessment report and statutory declaration was furnished after the relocation of the production data centre.

In accordance with section 43A(3) of the ETO, the GCIO must publish in the disclosure record for Digi-Sign as a recognized certification authority (CA) the dates of and the material information in the assessment reports and statutory declarations on the CA services of Digi-Sign. Only those parts of the reports and statutory declarations containing material information are herewith published.

First Assessment Report

(A) Date of the Report

• The date of the report is 25 January 2017.

(B) Material Information

Recognized CA Practices

1. In the assessor’s opinion, in all material respects,
   1. the management assertions in respect of Digi-Sign’s capability to comply with the sections of the ETO and the Code of Practice (see Note 1) set out in Appendix 2 (see Note 2) of the assessment report, having regard to the major change that will occur for the planned relocation of production data centre, are reasonable. In particular, Digi-Sign is capable of:
      1. disclosing its business practices in its CPS(s) (see Note 3) in accordance with the ETO and the Code of Practice and providing its services in accordance with its disclosed business practices;
      2. complying with the requirements in respect of the use of a trustworthy system to support its operations in accordance with sections 21(4)(c) and 37 of the ETO and the Code of Practice; and
      3. complying with the requirements in respect of recognition of its certificates in accordance with sections 36, 39, 40, 44 and 45(1) of the ETO and the Code of Practice;
   2. no information came to the assessor’s attention during the course of the assessment that would indicate that the management assertions in respect of Digi-Sign’s capability to comply with the sections of the Code of Practice set out in Appendix 3 (see Note 4) of the assessment report, having regard to the major change that will occur for the planned relocation of production data centre, are not reasonable;
   3. the management assertions in respect of Digi-Sign’s capability to comply with all the provisions of the Certificate Policy for Mutual Recognition of Electronic Signature Certificates Issued by Hong Kong and Guangdong (“MRCP”) are reasonable; and
   4. based on the conclusions drawn in paragraphs (a), (b) and (c) above, the management assertions in respect of Digi-Sign’s capability to comply with the provisions of the ETO applicable to a recognized CA, the Code of Practice and the MRCP, having regard to the major change that will occur for the planned relocation of production data centre, are reasonable.
2. The assessor has covered and examined the provisions of the ETO and of the Code of Practice as set out in Appendix 4 (see Note 5) of the assessment report and consider them to be explanatory material and statement of facts. Therefore, it would not be appropriate for the assessor to express its opinion with regards to these provisions. The assessor confirms that these provisions would not cause any material impact to the conclusions of the assessment report.

First Statutory Declaration

(A) Date of the Statutory Declaration

• The date of the declaration is 24 January 2017.

(B) Material Information

• Having regard to Digi-Sign's planned relocation of its production data centre, a responsible officer of Digi-Sign declared that Digi-Sign was capable of complying with the provisions of the ETO and the Code of Practice, as specified in paragraph 2 of Annex II of the notice issued by the GCIO (see Note 6).

Second Assessment Report

(A) Date of the Report

• The date of the report is 24 February 2017.

(B) Material Information

Recognized CA Practices

1. In the assessor’s opinion, in all material respects,
   1. the management assertions in respect of Digi-Sign's compliance and capability to comply with the sections of the ETO and the Code of Practice set out in Appendix 2 (see Note 2) of the assessment report, having regard to Digi-Sign's relocation of its production data centre that has occurred, are reasonable. In particular, Digi-Sign is and is capable of:
      1. disclosing its business practices in its CPS(s) in accordance with the ETO and the Code of Practice and providing its services in accordance with its disclosed business practices;
      2. complying with the requirements in respect of the use of a trustworthy system to support its operations in accordance with sections 21(4)(c) and 37 of the ETO and the Code of Practice; and
      3. complying with the requirements in respect of recognition of its certificates in accordance with sections 36, 39, 40, 44 and 45(1) of the ETO and the Code of Practice;
   2. no information came to the assessor’s attention during the course of the assessment that would indicate that the management assertions in respect of Digi-Sign's compliance and capability to comply with the sections of the Code of Practice set out in Appendix 3 (see Note 4) of the assessment report, having regard to Digi-Sign's relocation of its production data centre that has occurred, are not reasonable;
   3. the management assertions in respect of Digi-Sign's compliance and capability to comply with all the provisions of the MRCP are reasonable; and
   4. based on the conclusions drawn in paragraphs (a), (b) and (c) above, the management assertions in respect of Digi-Sign's compliance and capability to comply with the provisions of the ETO applicable to a recognized CA, the Code of Practice and the MRCP, having regard to Digi-Sign's relocation of its production data centre that has occurred, are reasonable.
2. The assessor has covered and examined the provisions of the ETO and of the Code of Practice as set out in Appendix 4 (see Note 5) of the assessment report and consider them to be explanatory material and statement of facts. Therefore, it would not be appropriate for the assessor to express its opinion with regards to these provisions. The assessor confirms that these provisions would not cause any material impact to the conclusions of the assessment report.

Second Statutory Declaration

(A) Date of the Statutory Declaration

• The date of the declaration is 24 February 2017

(B) Material Information

• Having regard to Digi-Sign's relocation of its production data centre that has occurred, a responsible officer of Digi-Sign declared that Digi-Sign was and was capable of complying with the provisions of the ETO, the Code of Practice and the MRCP as specified in paragraph 2 of Annex II of the notice issued by the GCIO (see Note 6).

Notes

1. Code of Practice for Recognized Certification Authorities (version 3.0) issued under section 33 of the ETO
2. The Appendix 2 is identical in both assessment reports and is extracted as follows:

   Relevant Provisions of the ETO Part VII – Recognition of CAs and certificates by GCIO: Section 21(4)(b) and (c). Part X – General Provisions as to Recognized CAs: Sections 36, 37, 39, 40, 44 and 45(1). Relevant Provisions of the Code of Practice General Responsibilities of a Recognized CA: Paragraphs 3.1 to 3.2 inclusive, 3.4 to 3.6 inclusive and 3.8. Certification Practice Statement: Paragraphs 4.1 to 4.10 inclusive and 4.12 to 4.13 inclusive. Trustworthy System: Paragraphs 5.1, 5.6 to 5.7 inclusive, 5.9 to 5.15 inclusive and 5.19 to 5.21 inclusive. Certificates and recognized certificates: Paragraphs 6.1 to 6.8 inclusive and 6.10 to 6.23 inclusive. Reliance limit and liability cover: Paragraphs 8.2 to 8.4 inclusive. Repositories: Paragraphs 9.1, 9.3 and 9.5. Disclosure of Information: Paragraphs 10.1 to 10.3 inclusive. Adoption of Standards and Technology: Paragraph 14.1. All relevant paragraphs in Appendix 1 of the Code of Practice, which are applicable to the requirements stipulated in the Certificate Policy for Mutual Recognition of Electronic Signature Certificates Issued by Hong Kong and Guangdong.

3. Certification Practice Statement (CPS).
4. The Appendix 3 is identical in both assessment reports and is extracted as follows:

   Relevant Provisions of the Code of Practice General Responsibilities of a Recognized CA: Paragraph 3.3. Trustworthy System: Paragraphs 5.16 to 5.17 inclusive. Repositories: Paragraphs 9.2 and 9.4 inclusive. Disclosure of Information: Paragraphs 10.4 to 10.6 inclusive.

5. The Appendix 4 is identical in both assessment reports and is extracted as follows:

   Relevant Provisions of the ETO Part XI – Provisions as to Secrecy, Disclosure and Offences: Sections 46, 47 and 48. Relevant Provisions of the Code of Practice Certification Practice Statement: Paragraph 4.11. Trustworthy System: Paragraphs 5.2 to 5.3 inclusive and 5.8. Certificates and Recognized Certificates: Paragraph 6.9.

6. Paragraph 2 of Annex II of the notice is reproduced below for reference:

   2.1	A responsible officer of Digi-Sign Certification Services Limited (Digi-Sign) shall make a statutory declaration which states that, having regard to Digi-Sign’s relocation of its production data centre, Digi-Sign is capable of complying with the following provisions of the ETO. Part VII – Recognition of CAs and Certificates by GCIO: Section 21(4)(e).
   2.2	A responsible officer of Digi-Sign shall make a statutory declaration which states that, having regard to Digi-Sign’s relocation of its production data centre, Digi-Sign is capable of complying with the following provisions of the Code of Practice. General Responsibilities of a Recognized CA: Paragraphs 3.7 and 3.9. Trustworthy System: Paragraph 5.18. Disclosure of Information: Paragraphs 10.7 to 10.9 inclusive. Consumer Protection: Paragraph 16.1.
   2.3	A responsible officer of Digi-Sign shall make a statutory declaration which states that, having regard to Digi-Sign’s relocation of its production data centre, Digi-Sign is capable of complying with the MRCP.