Disclosure Records of Recognized Certification Authorities

Disclosure Record for the Postmaster General

(This is page 5 of the disclosure record for the Postmaster General maintained by the Government Chief Information Officer under section 31(1) of the Electronic Transactions Ordinance (Cap. 553) ("ETO"). Click this link to go back to page 1 of the disclosure record.)

The Postmaster General is hereinafter referred to as the "Hongkong Post CA" (CA stands for certification authority).

Assessment Reports in respect of Hongkong Post CA System Upgrade Project

In relation to the issuance of the Hongkong Post e-Cert (Personal) certificate for embedding in the smart ID card that is issued by the Immigration Department, Hongkong Post CA had upgraded its systems and procedures between June 2003 and January 2004 by phases. The upgrade also covered the issuance of the Hongkong Post e-Cert (Personal) certificate at locations outside the premises of Hongkong Post CA.

In accordance with section 5.6 of the Code of Practice for Recognized Certification Authorities ("Code of Practice"), Hongkong Post CA had arranged for the preparation of assessment reports by an independent assessor in relation to changes to the existing CA system, controls and procedures arising from the upgrade mentioned in the preceding paragraph. Three Interim Assessment Reports and a Final Assessment Report were prepared by the assessor to coincide with the four phases in the implementation of the Hongkong Post CA system upgrade project.

Extracts from the assessment reports are herewith published pursuant to section 31(2) of the ETO.

(I) 1^st Interim Assessment Report

The 1^st Interim Assessment Report was prepared by the assessor in relation to the 1^st phase of the CA services launched on 23 June 2003 for embedding the Hongkong Post e-Cert (Personal) certificate in the smart ID Card.

A. Date of the Report:

• The date of the report is 18 June 2003.

B. Material Information:

• Key Findings and Interim Assessment Conclusion

• In respect of the CA services to be launched on 23 June 2003 and as a result of the assessor's independent compliance assessment work performed up until 18 June 2003, the assessor had noted no outstanding significant issues that would indicate non-conformance with those sections of the Code of Practice concerned with ensuring a trustworthy system.

(II) 2^nd Interim Assessment Report

The 2^nd Interim Assessment Report was prepared by the assessor in relation to the issuance of Hongkong Post e-Cert (Personal) certificates at certain locations outside the premises of Hongkong Post CA starting from 22 July 2003.

A. Date of the Report:

• The date of the report is 18 July 2003.

B. Material Information:

• Key Findings and Interim Assessment Conclusion

  In respect of the CA services to be launched on 22 July 2003 and as a result of the assessor's independent compliance assessment work performed up until 18 July 2003, the assessor had noted no outstanding significant issues that would indicate non-conformance with those sections of the Code of Practice concerned with ensuring a trustworthy system.

(III) 3^rd Interim Assessment Report

The 3^rd Interim Assessment Report was prepared by the assessor in relation to the 2^nd phase of the CA services launched on 18 August 2003 for embedding the Hongkong Post e-Cert (Personal) certificate in the smart ID Card.

A. Date of the Report:

• The date of the report is 13 August 2003.

B. Material Information:

• Key Findings and Interim Assessment Conclusion

  In respect of the CA services to be launched on 18 August 2003 and as a result of the assessor's independent compliance assessment work performed up until 13 August 2003, and other than the matter highlighted below which the assessor believed should be taken into consideration when assessing the potential impact on the Hongkong Post CA trust model, no other outstanding significant matters came to the assessor's attention which would indicate non-compliance with those sections of the Code of Practice concerned with ensuring a trustworthy system.

  • In relation to assessment work step 6 "Security review of the e-Cert on-card application and e-Cert embedment process" and work step 8 "Review of the business and systems continuity measures", the assessor's assessment work was intended to include a review of the security assessment report commissioned by the Immigration Department ("ImmD") over the concerned areas (i.e., the security environment over the ImmD's systems and processes for transmitting and embedding the e-Cert on-card application and Application Load Unit file onto the Smart ID cards, and the relevant ImmD business continuity and recovery plans and procedures that contribute to the trustworthiness of the Hongkong Post CA trust model). From the assessor's review of the security assessment report commissioned by, and through the assessor's discussion with, the ImmD, the assessor noted that there was not enough information over the concerned areas for the purpose of assessing the impact on the Hongkong Post CA trust model. Nevertheless, on the part of Hongkong Post, the assessor noted that reasonable steps had been undertaken to mitigate the risks associated with the concerned areas.

(IV) Final Assessment Report

The Final Assessment Report was prepared by the assessor in relation to the last phase of the CA system upgrade project which was to migrate the existing certificates (i.e. e-Cert and Bank-Cert) and related CA services to the new CA system on 12 January 2004.

A. Date of the Report:

• The date of the report is 5 January 2004.

B. Material Information:

• Findings and Conclusion

  In respect of the assessor's work in relation to the last phase of the CA upgrade project, no significant matters came to the assessor's attention which would indicate non-compliance with those sections of the Code of Practice concerned with ensuring a trustworthy system.