Disclosure Records of Recognized Certification Authorities

Disclosure Record for the Postmaster General

(This is page 6 of the disclosure record for the Postmaster General maintained by the Government Chief Information Officer ("GCIO") under section 31(1) of the Electronic Transactions Ordinance (Cap. 553) ("Ordinance"). Click this link to go back to page 1 of the disclosure record.)

Assessment Report (1 January 2003 - 31 December 2003)

In accordance with section 43(3) of the Ordinance, the GCIO must publish in the disclosure record for the Postmaster General as a recognized certification authority the date of and the material information in the assessment report on the certification authority ("CA") services of the Postmaster General. Only those parts of the report containing material information are herewith published.

The Postmaster General is hereinafter referred to as the "Hongkong Post CA".

A. Date of the Report

• The date of the report is 21 January 2004.

B. Material Information

1. The assessment report is prepared by the assessor for the period between 1 January 2003 and 31 December 2003.

Recognized CA Practices

2. With the exception noted in paragraph 9 below, the assessor concluded that:
   1. the management assertions in respect of Hongkong Post CA's compliance with the sections of the Code of Practice (Note 1) set out in Part 3A of Appendix 3 to Practice Note 870 (Note 2) for the period from 1st January 2003 to 31st December 2003 are reasonable. In particular, Hongkong Post CA has:
      1. disclosed its business practices in its CPSs (Note 3) in accordance with the Ordinance applicable to a RCA (Note 4) and the Code of Practice and provided its services in accordance with its disclosed business practices;
      2. reasonably complied with the requirements in respect of the use of a trustworthy system to support its operations in accordance with section 37 of the Ordinance and the Code of Practice; and
      3. reasonably complied with the requirements in respect of recognition of its certificates in accordance with the provisions of the Ordinance applicable to a RCA and the Code of Practice;
   2. no information came to the attention of the assessor during the course of the assessment that would indicate that the management assertions in respect of Hongkong Post CA's compliance with the sections of the Code of Practice set out in Part 3B of Appendix 3 to Practice Note 870 for the period from 1st January 2003 to 31st December 2003 are not reasonable; and
   3. based on the conclusions drawn in paragraphs (a) and (b) above in respect of Hongkong Post CA's compliance with the provisions of the Ordinance applicable to a RCA for the period from 1st January 2003 to 31st December 2003:
      1. the management assertions in respect of (a) above are reasonable; and
      2. no other information came to the attention of the assessor during the course of the assessment that would indicate that those assertions in respect of (b) above are not reasonable.

(Note : In respect of (c) above, the assessor subsequently clarified that based on the conclusions drawn in paragraphs (a) and (b) above, the management assertions in respect of Hongkong Post CA's compliance with the provisions of the Ordinance applicable to a recognized CA for the period from 1st January 2003 to 31st December 2003 are reasonable.)

Financial projections

3. Except for the item under paragraph 10 below, in the assessor's opinion, in all material respects, the accounting policies upon which Hongkong Post CA's cashflow projections and financial position forecasts for the six month period intervals from 1st November 2003 to 31st October 2004 and projection of operating costs for the period from 1st November 2003 to 31st January 2004, in respect of the CA's operations relevant under the Ordinance are based, are consistent with those normally adopted by the Electronic Services Section of Hongkong Post and conform with generally accepted accounting principles adopted in Hong Kong, and the projections have been properly compiled on the basis of the assumptions made by the management of Hongkong Post CA.
4. It has been ascertained from Hongkong Post CA that the amount of net current assets (i.e. current assets less current liabilities) as shown in the unaudited management accounts of Hongkong Post CA for the 7 months period ended 31st October 2003 was a negative number (i.e. a net current liability).
5. Net current assets being negative cannot fund the projected operating costs. However, Hongkong Post has confirmed that it will provide continued financial support to enable ESS (Note 5) to meet its liabilities as they fall due.
6. The assessor has not carried out any verification work on the unaudited management accounts of Hongkong Post CA for the period ended 31st October 2003.

Potential liabilities

7. Due to the nature of the industry in which Hongkong Post CA operates, there is uncertainty in determining Hongkong Post CA's potential liabilities given the limited history of past claims (both in Hong Kong and other parts of the world for risks of this nature). Despite this, the assessor noted that Hongkong Post CA purchased insurance policies for the purpose of settling any future potential liabilities in accordance with the requirements stipulated in paragraph B-18B in the second supplementary note to the Guidance Note (Note 6).
8. On this basis, in the assessor's opinion, in all material respects, the management assertion that Hongkong Post CA has implemented and maintained appropriate procedures to determine and manage its potential liabilities in relation to the issue of certificates are reasonable.

Exception and issues

9. As a result of its assessment, the assessor drew attention to the exception below which the assessor considered to be of particular significance.

   	Exception	Response of Hongkong Post CA
   i.	As part of Hongkong Post's CA system upgrade implementation project and in conjunction with the HKSAR Immigration Department ("ImmD") for the rollout of the Hong Kong smart ID card implementation project launched in mid 2003, Hong Kong residents (when replacing their existing Hong Kong ID cards) have the option to apply for an e-Cert to be embedded in their new smart ID card. During the assessor's independent compliance assessment of the Hongkong Post CA system upgrade implementation project and as a follow-up review step as part of the annual assessment for the year ended 31 December 2003 focusing on the security environment over the ImmD's systems and processes for transmitting and embedding the e-Cert on-card application and Application Load Unit file onto the Smart ID cards, and the relevant ImmD business continuity and recovery plans and procedures that contribute to the trustworthiness of the Hongkong Post CA trust model (which are collectively referred to as the "concerned areas"), the assessor noted that there was not enough information to assess the impact on the Hongkong Post CA trust model. Nevertheless, for those areas under the control of Hongkong Post, the assessor noted that reasonable steps had been undertaken to mitigate the risks associated with the concerned areas.	The Hongkong Post CA is using a trustworthy system to perform its services and has taken practical measures to deal with the risk associated with the issue.

10. In addition to the exception noted in paragraph 9 above, the assessor had identified other issues relating to the requirements stipulated in the Guidance Note on Compliance Assessment of Certification Authorities under the Electronic Transactions Ordinance (Cap. 553) and all subsequent supplementary notes issued by the then Director to date. The assessor drew attention to the following such issue below which the assessor considered to be of particular significance.

    	Issues identified	Response of Hongkong Post CA
    i.	Hongkong Post CA depreciated their computer systems and equipment on a straight-line basis over the period of their estimated useful life. The estimated useful life appeared to be longer than general industry practice for similar computer systems and equipment.	This (i.e. accounting depreciation) follows the accounting practice of Hongkong Post and is accepted by the Treasury of the HKSAR Government.

Notes

1. Code of Practice for Recognized Certification Authorities (Version 1.0) issued under section 33 of the Ordinance.
2. Practice Note 870 "The Assessment of Certification Authorities under the Electronic Transactions Ordinance" issued by the then Hong Kong Society of Accountants.
3. Certification practice statements.
4. Recognized certification authorities.
5. Electronic Services Section of Hongkong Post which operates the CA service.
6. Guidance Note on Compliance Assessment of Certification Authorities under the Electronic Transactions Ordinance (Cap. 553) (Version 1.0).
7. The responses to the exception and issues as reported by Hongkong Post CA and the notes in the above paragraphs are disclosed in accordance with section 31(2) of the Ordinance.