Disclosure Records of Recognized Certification Authorities

Disclosure Record for the Postmaster General

(This is page 8 of the disclosure record for the Postmaster General maintained by the Government Chief Information Officer ("GCIO") under section 31(1) of the Electronic Transactions Ordinance (Cap. 553) ("Ordinance"). Click this link to go back to page 1 of the disclosure record.)

Assessment Report and Statutory Declaration (1 January 2005 - 31 December 2005)

In accordance with section 43(3) of the Ordinance, the GCIO must publish in the disclosure record for the Postmaster General as a recognized certification authority the date of and the material information in the assessment report and statutory declaration on the certification authority ("CA") services of the Postmaster General. Only those parts of the report and statutory declaration containing material information are herewith published.

The Postmaster General is hereinafter referred to as the "Hongkong Post CA".

Assessment Report

A. Date of the Report

• The date of the report is 20 January 2006.

B. Material Information

1. The assessment report is prepared by the assessor for the period between 1 January 2005 and 31 December 2005.

Recognized CA Practices

2. With the exception noted in paragraph 9 below, in the assessor's opinion, in all material respects:
   1. the management assertions in respect of Hongkong Post CA's compliance with the sections of the Code of Practice (Note 1) set out in Part 3A of Appendix 3 to Practice Note 870 (Note 2) for the period from 1 January 2005 to 31 December 2005 are reasonable. In particular, Hongkong Post CA has:
      1. disclosed its business practices in its CPSs (Note 3) in accordance with the Ordinance applicable to a RCA (Note 4) and the Code of Practice and provided its services in accordance with its disclosed business practices;
      2. reasonably complied with the requirements in respect of the use of a trustworthy system to support its operations in accordance with section 37 of the Ordinance and the Code of Practice; and
      3. reasonably complied with the requirements in respect of recognition of its certificates in accordance with the provisions of the Ordinance applicable to a RCA and the Code of Practice;
   2. no information came to the attention of the assessor during the course of the assessment that would indicate that the management assertions in respect of Hongkong Post CA's compliance with the sections of the Code of Practice set out in Part 3B of Appendix 3 to Practice Note 870 for the period from 1 January 2005 to 31 December 2005 are not reasonable; and
   3. based on the conclusions drawn in paragraphs (a) and (b) above in respect of Hongkong Post CA's compliance with the provisions of the Ordinance applicable to a RCA for the period from 1 January 2005 to 31 December 2005, the management assertions in respect of Hongkong Post CA's compliance with the provisions of the Ordinance applicable to a RCA for the period from 1 January 2005 to 31 December 2005 are reasonable.

Financial projections

3. In the assessor's opinion, in all material respects, the accounting policies upon which Hongkong Post CA's cashflow projections for the two 6-month period intervals from 1 November 2005 to 30 April 2006 and from 1 May 2006 to 31 October 2006, financial position forecasts as at 30 April 2006 and as at 31 October 2006, and projection of operating costs for the period from 1 November 2005 to 31 January 2006, in respect of the CA's operations relevant under the Ordinance are based, are consistent with those normally adopted by the Electronic Services Section of Hongkong Post and conform with generally accepted accounting principles adopted in Hong Kong, and the financial projections have been properly compiled on the basis of the assumptions made by the management of Hongkong Post CA.
4. It has been ascertained from Hongkong Post CA that the amount of net current assets (i.e. current assets less current liabilities) as shown in the unaudited management accounts of Hongkong Post CA for the 7 months period ended 31 October 2005 was a negative number (i.e. a net current liability).
5. Net current assets being negative cannot fund the projected operating costs. However, Hongkong Post has confirmed that it will provide continued financial support to enable Electronic Services Section of Hongkong Post to meet its liabilities as and when they fall due.
6. The assessor has not carried out any verification work on the unaudited management accounts of Hongkong Post CA for the period ended 31 October 2005.

Potential liabilities

7. Due to the nature of the industry in which Hongkong Post CA operates, there is uncertainty in determining Hongkong Post CA's potential liabilities given the limited history of past claims (both in Hong Kong and other parts of the world for risks of this nature).
8. In the assessor's opinion, in all material respects, the management assertion that Hongkong Post CA has implemented and maintained appropriate procedures to determine and manage its potential liabilities in relation to the issuance of certificates are reasonable.

Exception and issues

9. As a result of its assessment, the assessor drew attention to the exception below which the assessor considered to be of particular significance.

   	Exception	Response of Hongkong Post CA>
   i.	As part of Hongkong Post's CA system upgrade implementation project and in conjunction with the HKSAR Immigration Department ("ImmD") for the rollout of the Hong Kong smart ID card implementation project launched in mid 2003, Hong Kong residents (when replacing their existing Hong Kong ID cards) have the option to apply for an e-Cert to be embedded in their new smart ID card. During the assessor's annual assessment for the year ended 31 December 2005 focusing on the security environment over the ImmD's systems and processes for transmitting and embedding the e-Cert on-card application and Application Load Unit file onto the Smart ID cards, and the relevant ImmD business continuity and recovery plans and procedures that contribute to the trustworthiness of the Hongkong Post CA trust model (which are collectively referred to as the "concerned areas"), the assessor noted that there was not enough information to assess the impact on the Hongkong Post CA trust model. Nevertheless, for those areas under the control of Hongkong Post, the assessor noted that reasonable steps have been undertaken to mitigate the risks associated with the concerned areas.	The Hongkong Post CA is using a trustworthy system to perform its services and has taken practical measures to deal with the risk associated with the issue.

Statutory Declaration

A. Date of the Declaration

• The date of the declaration is 13 January 2006.

B. Material Information

• A responsible officer of PMG declares that PMG has, from 1 January 2005 until 31 December 2005, complied with the provisions of the Ordinance and the provisions of the Code of Practice which have been set out under paragraph 2 of Appendix 2 of the Code of Practice.

Note

1. Code of Practice for Recognized Certification Authorities issued by the GCIO under section 33 of the Ordinance.
2. Practice Note 870 "The Assessment of Certification Authorities under the Electronic Transactions Ordinance" issued by the Hong Kong Institute of Certified Public Accountants.
3. Certification practice statements.
4. Recognized certification authority.
5. The responses to the exception and issues as reported by Hongkong Post CA and the notes in the above paragraphs are disclosed in accordance with section 31(2) of the Ordinance.