Disclosure Records of Recognized Certification Authorities

Disclosure Record for the Postmaster General

(This is page 7 of the disclosure record for the Postmaster General maintained by the Government Chief Information Officer ("GCIO") under section 31(1) of the Electronic Transactions Ordinance (Cap. 553) ("Ordinance"). Click this link to go back to page 1 of the disclosure record.)

Assessment Report and Statutory Declaration (1 January 2004 - 31 December 2004)

In accordance with section 43(3) of the Ordinance, the GCIO must publish in the disclosure record for the Postmaster General as a recognized certification authority the date of and the material information in the assessment report and statutory declaration on the certification authority ("CA") services of the Postmaster General. Only those parts of the report containing material information are herewith published.

The Postmaster General is hereinafter referred to as the "Hongkong Post CA".

Assessment Report

A. Date of the Report

• The date of the report is 20 January 2005.

B. Material Information

1. The assessment report is prepared by the assessor for the period between 1 January 2004 and 31 December 2004.

Recognized CA Practices

2. With the exception noted in paragraph 9 below, in the assessor's opinion, in all material respects:
   1. the management assertions in respect of Hongkong Post CA's compliance with the sections of the Code of Practice (Note 1) set out in Part 3A of Appendix 3 to Practice Note 870 (Note 2) for the period from 1 January 2004 to 31 December 2004 are reasonable. In particular, Hongkong Post CA has:
      1. disclosed its business practices in its CPSs (Note 3) in accordance with the Ordinance applicable to a RCA (Note 4) and the Code of Practice and provided its services in accordance with its disclosed business practices;
      2. reasonably complied with the requirements in respect of the use of a trustworthy system to support its operations in accordance with section 37 of the Ordinance and the Code of Practice; and
      3. reasonably complied with the requirements in respect of recognition of its certificates in accordance with the provisions of the Ordinance applicable to a RCA and the Code of Practice;
   2. no information came to the attention of the assessor during the course of the assessment that would indicate that the management assertions in respect of Hongkong Post CA's compliance with the sections of the Code of Practice set out in Part 3B of Appendix 3 to Practice Note 870 for the period from 1 January 2004 to 31 December 2004 are not reasonable; and
   3. based on the conclusions drawn in paragraphs (a) and (b) above in respect of Hongkong Post CA's compliance with the provisions of the Ordinance applicable to a RCA for the period from 1 January 2004 to 31 December 2004, the management assertions in respect of Hongkong Post CA's compliance with the provisions of the Ordinance applicable to a RCA for the period from 1 January 2004 to 31 December 2004 are reasonable.

Financial projections

3. Except for the item under paragraph 10 below, in the assessor's opinion, in all material respects, the accounting policies upon which Hongkong Post CA's cashflow projections and financial position forecasts for the six month period intervals from 1 November 2004 to 31 October 2005 and projection of operating costs for the period from 1 November 2004 to 31 January 2005, in respect of the CA's operations relevant under the Ordinance are based, are consistent with those normally adopted by the Electronic Services Section of Hongkong Post and conform with generally accepted accounting principles adopted in Hong Kong, and the financial projections have been properly compiled on the basis of the assumptions made by the management of Hongkong Post CA.
4. It has been ascertained from Hongkong Post CA that the amount of net current assets (i.e. current assets less current liabilities) as shown in the unaudited management accounts of Hongkong Post CA for the 7 months period ended 31 October 2004 was a negative number (i.e. a net current liability).
5. Net current assets being negative cannot fund the projected operating costs. However, Hongkong Post has confirmed that it will provide continued financial support to enable Electronic Services Section of Hongkong Post to meet its liabilities as and when they fall due.
6. The assessor has not carried out any verification work on the unaudited management accounts of Hongkong Post CA for the period ended 31 October 2004.

Potential liabilities

7. Due to the nature of the industry in which Hongkong Post CA operates, there is uncertainty in determining Hongkong Post CA's potential liabilities given the limited history of past claims (both in Hong Kong and other parts of the world for risks of this nature).
8. In the assessor's opinion, in all material respects, the management assertion that Hongkong Post CA has implemented and maintained appropriate procedures to determine and manage its potential liabilities in relation to the issue of certificates are reasonable.

Exception and issues

9. As a result of its assessment, the assessor drew attention to the exception below which the assessor considered to be of particular significance.

   	Exception	Response of Hongkong Post CA
   i.	During the assessor's compliance testing of the Hongkong Post CA revocation handling process for e-Cert (Organisational), the assessor noted a revocation request had not been properly revoked and published in the Certification Revocation List ("CRL") in accordance with the timeframe set out in the e-Cert CPS dated August 2004. The records prepared by Hongkong Post indicated that this was an isolated incident caused by human errors and there was no indication of system errors.	The Hongkong Post CA has reviewed the existing revocation handling procedures and found them proper for the revocation operations specified in the CPS. The incident was an isolated case caused by an accidental human error. The Hongkong Post CA has strengthened the monitoring measures to ensure that all revocation requests are processed according to the timeframe set out in the CPS.
   ii.	Hongkong Post CA as a RCA has appointed Bank of China (Hong Kong) ("BOCHK") and two of its subsidiary banks, Nanyang and Chiyu, as its agents to carry out certain RA functions. BOCHK, Nanyang and Chiyu have adopted a "paper-based RA model" where paper records of Hongkong Post e-Cert (Organisational) application forms are physically delivered to Hongkong Post's CA centre for processing and no system interfaces are built between the three banks and Hong Kong Post for this purpose. During the assessor's assessment for the year ended 31 December 2004, the assessor noted that the compliance assessment report of the RA operation outsourced to BOCHK was not available for their assessment.	The Hongkong Post CA has confirmed that the assessor has subsequently reviewed the assessment report of the RA operation outsourced to BOCHK and there are no significant matters that come to the assessor's attention which would indicate non-compliance with sections of the Code of Practice relevant to the outsourced RA functions.
   iii.	As part of Hongkong Post's CA system upgrade implementation project and in conjunction with the HKSAR Immigration Department ("ImmD") for the rollout of the Hong Kong smart ID card implementation project launched in mid 2003, Hong Kong residents (when replacing their existing Hong Kong ID cards) have the option to apply for an e-Cert to be embedded in their new smart ID card. During the assessor's annual assessment for the year ended 31 December 2004 focusing on the security environment over the ImmD's systems and processes for transmitting and embedding the e-Cert on-card application and Application Load Unit file onto the Smart ID cards, and the relevant ImmD business continuity and recovery plans and procedures that contribute to the trustworthiness of the Hongkong Post CA trust model (which are collectively referred to as the "concerned areas"), the assessor noted that there was not enough information to assess the impact on the Hongkong Post CA trust model. Nevertheless, for those areas under the control of Hongkong Post, the assessor noted that reasonable steps have been undertaken to mitigate the risks associated with the concerned areas.	The Hongkong Post CA is using a trustworthy system to perform its services and has taken practical measures to deal with the risk associated with the issue.

10. In addition to the exception noted in paragraph 9 above, the assessor had identified other issues relating to the requirements stipulated in the Guidance Note on Compliance Assessment of Certification Authorities under the Electronic Transactions Ordinance (Cap. 553) published in January 2000 and all subsequent supplementary notes issued by the Director (Note 5) and version 2.0 of the Guidance Note on Compliance Assessment of Certification Authorities under the Electronic Transactions Ordinance (Cap. 553) published in July 2004 which was issued by the GCIO. The assessor drew attention to the following such issue below which the assessor considered to be of particular significance.

    	Issues identified	Response of Hongkong Post CA
    i.	According to the e-Cert CPS dated August 2004, Hongkong Post CA would exercise reasonable endeavours to send to relevant subscribers a notice of revocation by email or by post within one week following the revocation. During the assessor's compliance testing of this process, the assessor noted that some of the revocation requests have their notice of revocation sent out to the subscribers longer than one week.	The Hongkong Post CA has reviewed the existing revocation handling procedures and found them proper for the revocation operations specified in the CPS. The delayed notices did not affect the revoked status of the certificates published in the CRL. The notice of revocation is now issued by the Hongkong Post CA system automatically so that the timeframe set out in the CPS can be met.
    ii.	Hongkong Post CA depreciated their computer systems and equipment on a straight-line basis over the period of their estimated useful life. The estimated useful life appeared to be longer than general industry practice for similar computer systems and equipment.	This (i.e. accounting depreciation) follows the accounting practice of Hongkong Post and is accepted by the Treasury of the HKSAR Government.
    iii.	In previous years, the Hong Kong SAR Government has assigned funds for upgrading certain computer systems to support the issuance of free e-Certs by Hongkong Post. Under the Statement of Standard Accounting Practice 35 ("SSAP35") issued by the Hong Kong Institute of Certified Public Accountants (the "HKICPA"), the hardware and software components of these projects that are intended to be beneficially used and maintained by Hongkong Post should be included as fixed assets. The Hong Kong SAR Government also funded various marketing expenses and general administrative expenses incurred by Hongkong Post through government grants. Under SSAP 35 issued by the HKICPA, the income in relation to these grants to Hongkong Post should either be presented separately or be deducted in reporting the related expenses with the disclosure of the grants and their effect on any item of income or expense which is required to be separately disclosed in the notes to the financial projections.	As the inclusion/exclusion of these expenses and income has no implication on the viability of Hongkong Post CA from accounting point of view, Hongkong Post CA shall maintain status quo.

Statutory Declaration

A. Date of the Declaration

• The date of the declaration is 14 June 2005.

B. Material Information

• A responsible officer of PMG declares that PMG has, from 1 January 2004 until 31 December 2004, complied with the provisions of the Ordinance and the provisions of the Code of Practice which have been set out under paragraph 2 of Appendix 2 of the Code of Practice.

Note

1. Versions 1.0, 2.0 and 2.1 of the Code of Practice for Recognized Certification Authorities issued under section 33 of the Ordinance.
2. Practice Note 870 "The Assessment of Certification Authorities under the Electronic Transactions Ordinance" issued by the Hong Kong Institute of Certified Public Accountants.
3. Certification practice statements.
4. Recognized certification authority.
5. The then Director of Information Technology Services
6. The responses to the exception and issues as reported by Hongkong Post CA and the notes in the above paragraphs are disclosed in accordance with section 31(2) of the Ordinance.