Disclosure Records of Recognized Certification Authorities

Archive of Disclosure Record for HiTRUST.COM (HK) Incorporated Limited

(This is page 4 of the archive of the disclosure record for HiTRUST.COM (HK) Incorporated Limited ("HiTRUST") maintained by the Government Chief Information Officer ("GCIO") under section 31(1) of the Electronic Transactions Ordinance (Cap. 553) ("Ordinance"). Click this link to go back to page 1 of the archive of the disclosure record.)

Assessment Report and Statutory Declaration (20 March 2004 - 19 March 2005)

In accordance with section 43(3) of the Ordinance, the GCIO must publish in the disclosure record for HiTRUST as a recognized certification authority ("CA") the date of and the material information in the assessment report and statutory declaration on the CA services of HiTRUST. Only those parts of the report and statutory declaration containing material information are herewith published.

Assessment Report

A. Date of the Report

• The date of the report is 19 March 2005.

B. Material Information

1. The assessment report is prepared by the assessor for the period between 20 March 2004 and 19 March 2005.

Recognized CA practices

2. In the assessor's opinion, in all material respects:
   1. the management assertions in respect of HiTRUST's compliance with the sections of the Code of Practice (see Note 1) set out in Appendix IV (see Note 2) of the assessment report for the period from 20 March 2004 to 19 March 2005 are reasonable. In particular, HiTRUST has:
      1. disclosed its business practices in its CPS (see Note 3) in accordance with the Ordinance and the Code of Practice and provided its services in accordance with its disclosed business practices;
      2. complied with the requirements in respect of the use of a trustworthy system to support its operations in accordance with section 37 of the Ordinance and the Code of Practice; and
      3. complied with the requirements in respect of recognition of its certificates in accordance with sections 36, 39, 40, 44 and 45(1) of the Ordinance and the Code of Practice;
   2. no information came to the attention of the assessor during the course of the assessment that would indicate that the management assertions in respect of HiTRUST's compliance with the sections of the Code of Practice set out in Appendix V (see Note 4) of the assessment report for the period from 20 March 2004 to 19 March 2005 are not reasonable; and
   3. based on the conclusions drawn in paragraphs (a) and (b) above, the management assertions in respect of HiTRUST's compliance with the provisions of the Ordinance applicable to a recognized CA for the period from 20 March 2004 to 19 March 2005 are reasonable.

Financial projections

3. In the assessor's opinion, in all material respects, the accounting policies upon which HiTRUST's projected cashflow statements and projected balance sheets for the period from 1 February 2005 to 31 January 2006, and projection of operating costs for the next 90 days from 1 February 2005, in respect of the CA's operations relevant under the Ordinance are based, are consistent with those normally adopted by HiTRUST and conform with generally accepted accounting principles adopted in Hong Kong, and the financial projections have been properly compiled on the basis of the assumptions made by management of HiTRUST.
4. It has been ascertained from HiTRUST that the amount of net current assets (i.e. current assets less current liabilities) as shown in the unaudited management accounts of HiTRUST for the month ended 31 January 2005 was in a positive net current assets position. The amount of net current assets as shown in the unaudited management accounts of HiTRUST for the month ended 31 January 2005 exceeds the 90-day projection of operating costs from 1 February 2005.
5. The assessor has not carried out any verification work on the unaudited management accounts of HiTRUST for the month ended 31 January 2005.

Potential liabilities

6. In the assessor's opinion, in all material respects, the management assertion that HiTRUST has implemented and maintained appropriate procedures to determine and manage its potential liabilities in relation to the issue of certificates are reasonable.

C. Additional Material Information Provided by the Assessor

• The assessor has confirmed that the assessment has covered all the provisions of the ETO and of the Code of Practice as specified in paragraph 1 of Appendix 2 of the Code of Practice. Furthermore, the assessor has confirmed that it has not identified any material impact to the conclusion in the assessment report arising from the provisions of the ETO and of the Code of Practice that have not been explicitly mentioned in the assessment report.

Statutory Declaration

A. Date of the Declaration

• The date of the declaration is 6 May 2005.

B. Material Information

• A responsible officer of HiTRUST declares that HiTRUST has, from 20 March 2004 until 19 March 2005, complied with the provisions of the Ordinance and the provisions of the Code of Practice which have been set out under paragraph 2 of Appendix 2 of the Code of Practice.

Notes

1. Code of Practice for Recognized Certification Authorities issued by the GCIO under section 33 of the Ordinance.
2. The Appendix IV of the assessment report is extracted as follows:
   
   Relevant Provisions of the Code of Practice
   
   1. General Responsibilities of a Recognized CA:
      Paragraphs 3.1, 3.2, 3.4, 3.5 and 3.8
   2. Certificate Practice Statement:
      Paragraphs 4.1 to 4.6, 4.8 to 4.10 and 4.12 to 4.13
   3. Trustworthy System:
      Paragraphs 5.1, 5.6, 5.7, 5.9, 5.10, 5.12 to 5.15, 5.19 to 5.21
   4. Certificates and Recognized Certificates:
      Paragraphs 6.1 to 6.8, 6.10 to 6.23
   5. Verification of Subscriber's Identity:
      Paragraphs 7.1 and 7.2
   6. Reliance Limit and Liability Cover:
      Paragraphs 8.1 and 8.2
   7. Repositories:
      Paragraphs 9.1, 9.3 and 9.5
   8. Disclosure of Information:
      Paragraphs 10.1 to 10.3
   9. Termination of Service:
      Paragraphs 11.1 to 11.4
   10. Assessment of Compliance with the Ordinance and this Code of Practice:
       Paragraph 12.1
   11. Inter-operability:
       Paragraph 15.2
   12. Appendix 1 - Standards and Procedures regarding the Contents of Certification Practice Statements:
       All sections in Appendix 1 of this Code of Practice
3. Certification practice statement.
4. The Appendix V of the assessment report is extracted as follows:
   
   Relevant Provisions of the Code of Practice
   
   1. General Responsibilities of a Recognized CA:
      Paragraphs 3.3 and 3.6
   2. Trustworthy System:
      Paragraphs 5.11, 5.16 and 5.17
   3. Reliance Limit and Liability Cover:
      Paragraphs 8.3 and 8.4
   4. Repositories:
      Paragraphs 9.2 and 9.4
   5. Disclosure of Information:
      Paragraphs 10.4 to 10.6
   6. Termination of Service:
      Paragraph 11.5
   7. Declaration of Compliance with the Ordinance and this Code of Practice:
      Paragraph 13.1
   8. Adoption of Standards and Technology:
      Paragraph 14.1
   9. Inter-operability:
      Paragraph 15.1
5. The notes in the above paragraphs are disclosed in accordance with section 31(2) of the Ordinance.