Disclosure Records of Recognized Certification Authorities

Disclosure Record for the Postmaster General

(This is page 11 of the disclosure record for the Postmaster General maintained by the Government Chief Information Officer ("GCIO") under section 31(1) of the Electronic Transactions Ordinance (Cap. 553) ("Ordinance"). Click this link to go back to page 1 of the disclosure record.)

Assessment Report and Statutory Declaration in respect of the Launch of e-Cert File Card

Postmaster General planned to launch e-Cert File Card as an alternative storage media, in addition to floppy diskette, for the storage of e-Cert upon issuance. It is noted that the launch of e-Cert File Card would involve development of new issuance software and procedures which provide the major certification authority ("CA") function to embed e-Cert onto e-Cert File Card in a secure manner. It is considered that e-Cert File Card would cause changes to the systems, procedures and security arrangement of the Postmaster General's CA operation.

The GCIO considered that the changes as set out in the preceding paragraph as major changes. In this light, the GCIO had, by notice given to the Postmaster General, required the Postmaster General to furnish to the GCIO an assessment report and a statutory declaration pursuant to section 43A(1) of the Ordinance. In this connection, the Postmaster General arranged the preparation of an assessment report produced by an independent assessor as well as furnished a statutory declaration made by a responsible officer of the Postmaster General in respect of the launch of the e-Cert File Card.

In accordance with section 43A(3) of the Ordinance, the GCIO must publish in the disclosure record for the Postmaster General as a recognized CA the dates of and the material information in the assessment report and statutory declaration on the CA services of the Postmaster General. Only those parts of the report and statutory declaration containing material information are herewith published.

The Postmaster General is hereinafter referred to as the "Hongkong Post CA".

Assessment Report

A. Date of the Report

• The date of the report is 9 July 2007.

B. Material Information

1. Apart from the matters noted in paragraph 2 below, in the assessor's opinion, in all material respects:
   1. the management assertions, in respect of Hongkong Post CA's capability to comply with the relevant sections of the Code of Practice (Note 1) set out in Part 3A of Appendix 3 to PN-870 (Note 2) as a result of the significant change (Note 3) as of the date of assessment 9 July 2007, are reasonable. In particular, Hongkong Post CA is capable of:
      1. disclosing its business practices associated with the e-Cert File Cards in its CPSs (Note 4) in accordance with the provisions of the Ordinance applicable to a RCA (Note 5) and the Code of Practice and providing its services in accordance with its disclosed business practices;
      2. reasonably complying with the requirements in respect of the use of a trustworthy system, where it is affected by components related to the issuance of the e-Cert File Cards, to support its operations in accordance with section 37 of the Ordinance and the Code of Practice; and
      3. reasonably complying with the requirements in respect of recognition of its certificates that are affected by the e-Cert File Cards in accordance with the provisions of the Ordinance applicable to a RCA and the Code of Practice;
   2. no information came to the attention of the assessor during the course of the assessment that would indicate that the management assertions, in respect of Hongkong Post CA's capability to comply with the relevant sections of the Code of Practice set out in Part 3B of Appendix 3 to PN-870 as a result of the significant change as of the date of assessment 9 July 2007, are not reasonable; and
   3. based on the conclusions drawn in paragraphs (a) and (b) above in respect of Hongkong Post CA's capability to comply with the relevant provisions of the Ordinance applicable to a RCA in connection with the significant change as of the date of assessment 9 July 2007, the management assertions, in respect of Hongkong Post CA's capability to comply with the relevant provisions of the Ordinance applicable to a RCA in connection with the significant change, are reasonable.

   Matters Arising (Note 6)

2. 	Matters Arising	Response of Hongkong Post CA
   i.	Given the fact that most of the procedures and controls designed to ensure compliance with the Ordinance and Code of Practice would be implemented between 9 July 2007 (i.e., the completion date of the assessor's assessment work) and the tentative scheduled launch date of 27 July 2007 for the significant change, as a result the assessor was unable to ascertain if such procedures and controls would be effectively implemented on or before the tentative scheduled launch date. Despite the above, the assessor noted that E-Mice (Note 7) had put in place an implementation plan for these procedures and controls which the assessor understood will be implemented.	The procedures and controls include deployment of CA system changes and application forms, training to related parties and marketing and promotional arrangement. E-Mice, as an outsourcing contractor of the Hongkong Post CA's operation, has taken actions to ensure e-Mice's capability to comply with the relevant requirements of the Ordinance and the Code of Practice applicable to a RCA in connection with the introduction of the e-Cert File Card.

Statutory Declaration

A. Date of the Declaration

• The date of the declaration is 11 July 2007.

B. Material Information

• Having regard to the launch of the e-Cert File Card scheduled for July 2007 as a new storage medium for e-Cert as part of Postmaster General's RCA operation, a responsible officer of Hongkong Post CA declares that Postmaster General as a RCA is capable of complying with the provisions of the Code of Practice which have been set out under paragraph 2 of Appendix 2 of the Code of Practice.

Notes

1. Code of Practice for Recognized Certification Authorities issued by the GCIO under section 33 of the Ordinance.
2. Practice Note 870 "The Assessment of Certification Authorities under the Electronic Transactions Ordinance" issued by the Hong Kong Institute of Certified Public Accountants.
3. Major changes in connection with the issuance of the e-Cert File Cards.
4. Certification practice statements.
5. Recognized certification authority.
6. Matters disclosed from the assessment.
7. E-Mice Solution (HK) Limited is the outsourcing contractor of Postmaster General in operating Postmaster General's CA operation.
8. The responses to the matters arising as reported by Hongkong Post CA and the notes in the above paragraphs are disclosed in accordance with section 31(2) of the Ordinance.