Disclosure Records of Recognized Certification Authorities

Disclosure Record for the Postmaster General

(This is page 13 of the disclosure record for the Postmaster General maintained by the Government Chief Information Officer ("GCIO") under section 31(1) of the Electronic Transactions Ordinance (Cap. 553) ("Ordinance"). Click this link to go back to page 1 of the disclosure record.)

Assessment Report and Statutory Declaration (1 January 2008 - 31 December 2008)

In accordance with section 43(3) of the Ordinance, the GCIO must publish in the disclosure record for the Postmaster General as a recognized certification authority the dates of and the material information in the assessment report and statutory declaration on the certification authority ("CA") services of the Postmaster General. Only those parts of the report and statutory declaration containing material information are herewith published.

The Postmaster General is hereinafter referred to as the "Hongkong Post CA".

Assessment Report

A. Date of the Report

• The date of the report is 19 January 2009.

B. Material Information

1. The assessment report was prepared by the assessor for the period between 1 January 2008 and 31 December 2008.

Recognized CA Practices

2. Except for the item highlighted in paragraph 10 below, in the assessor's opinion, in all material respects:
   1. the management assertions in respect of Hongkong Post CA's compliance with the sections of the Code of Practice (Note 1) set out in Part 3A of Appendix 3 to Practice Note 870 (Note 2) for the period from 1 January 2008 to 31 December 2008 are reasonable. In particular, Hongkong Post CA has:
      1. disclosed its business practices in its CPSs (Note 3) in accordance with the Ordinance applicable to a RCA (Note 4) and the Code of Practice and provided its services in accordance with its disclosed business practices;
      2. reasonably complied with the requirements in respect of the use of a trustworthy system to support its operations in accordance with section 37 of the Ordinance and the Code of Practice; and
      3. reasonably complied with the requirements in respect of recognition of its certificates in accordance with the provisions of the Ordinance applicable to a RCA and the Code of Practice;
   2. no information came to the attention of the assessor during the course of the assessment that would indicate that the management assertions in respect of Hongkong Post CA's compliance with the sections of the Code of Practice set out in Part 3B of Appendix 3 to Practice Note 870 for the period from 1 January 2008 to 31 December 2008 are not reasonable; and
   3. based on the conclusions drawn in paragraphs (a) and (b) above in respect of Hongkong Post CA's compliance with the provisions of the Ordinance applicable to a RCA for the period from 1 January 2008 to 31 December 2008, the management assertions in respect of Hongkong Post CA's compliance with the provisions of the Ordinance applicable to a RCA for the period from 1 January 2008 to 31 December 2008 are reasonable.

Financial projections

3. In the assessor's opinion, in all material respects, the accounting policies upon which Hongkong Post CA's cashflow projections for the two 6-month period intervals from 1 November 2008 to 30 April 2009 and from 1 May 2009 to 31 October 2009, financial position forecasts as at 30 April 2009 and as at 31 October 2009, and projection of operating costs for the period from 1 November 2008 to 31 January 2009, in respect of the RCA's operations relevant under the Ordinance are based, are consistent with those normally adopted by Hongkong Post CA and conform with generally accepted accounting principles adopted in Hong Kong, and the financial projections have been properly compiled on the basis of the assumptions made by the management of Hongkong Post CA.
4. It has been ascertained from Hongkong Post CA that the amount of net current assets (i.e. current assets less current liabilities) as shown in the unaudited management accounts of Hongkong Post CA for the 7 months period ended 31 October 2008 was nil.
5. It has been ascertained from Hongkong Post CA that the 90-day projection of operating costs from 1 November 2008 to 31 January 2009 was nil.
6. A comparison of the figures in the above paragraphs reveals that both net current assets and the projected 90-day operating costs were nil.
7. The assessor has not carried out any verification work on the unaudited management accounts of Hongkong Post CA for the period ended 31 October 2008.

Potential liabilities

8. Due to the nature of the industry in which Hongkong Post CA operates, there is uncertainty in determining Hongkong Post CA's potential liabilities given the limited history of past claims (both in Hong Kong and other parts of the world for risks of this nature).
9. In the assessor's opinion, in all material respects, the management assertions that Hongkong Post CA has implemented and maintained appropriate procedures to determine and manage its potential liabilities in relation to the issuance of certificates are reasonable.

Matter Arising

10. 	Matter Arising (Note 5)	Response of Hongkong Post CA
    i.	The assessor understands that the HKSAR Government Logistics Department has been using i-Cert certificates for its Electronic Tendering System ("ETS") which are non-recognized certificates issued by Global e-Business Services Limited (which is a business alliance company of Hongkong Post CA) to companies or individuals outside of Hong Kong for use in the ETS. The assessor further understands that i-Cert certificates are issued under a sub-root certificate named "Global e-Business Services Limited" which, in turn, is issued by a non-recognized root certificate named "Hongkong Post Commercial 1" owned by Hongkong Post CA. Under section 3.8 of the Code of Practice, it states that if a RCA issues to the public both recognized certificates and certificates which are not recognized certificates, the RCA shall publicise in its CPS(s) and repository the fact that it issues these two categories of certificates. Users of i-Cert certificates, which are not recognized under the Ordinance, may have a perception that there is some form of association between the RCA service of Hongkong Post CA and i-Cert certificates. Therefore, the assessor recommends that Hongkong Post CA with E-Mice (Note 6) as its agent discloses this fact in its CPSs for public knowledge.	The non-recognized root certificate "Hongkong Post Commercial 1" and non-recognized sub-root certificate "Global e-Business Services Limited" were issued on 18 April 2004. Hongkong Post CA stated that based on the assessments by independent assessors over the years and to the best of their knowledge and belief, Hongkong Post CA has been complying with the requirements of the Code of Practice in respect of the non-recognized root and sub-root certificates. The issuance of the non-recognized root and sub-root certificates does not affect the trustworthiness of the system of Hongkong Post CA for recognized CA services. In particular: separate private keys (i.e. private key of "Hongkong Post Root CA 1" and private key of "Hongkong Post Commercial 1") are used to sign recognized certificates and non-recognized certificates respectively; the repository for recognized certificates does not publish non-recognized certificates and any related information (e.g. CPS, subscriber agreement, suspension and revocation information, etc.); and Hongkong Post CA had drawn the attention of Global e-Business Services Limited and other relevant external parties to the significance of using and relying upon the non-recognized root certificate and non-recognized sub-root certificate since the issuance of such certificates. Hongkong Post CA with E-Mice as its agent has taken the assessor's recommendation and disclosed the fact for public knowledge.

11. Regarding the matter arising identified by the assessor:
    1. it is noted that Hongkong Post CA issues the non-recognized root certificate named "Hongkong Post Commercial 1" and the non-recognized sub-root certificate called "Global e-Business Services Limited". In this regard, Hongkong Post CA shall comply with the following requirements stipulated in paragraphs 3.8, 4.4, 6.1 and 6.5 of the Code of Practice which are related to the issuance of non-recognized certificates by a recognized CA:
       1. publicize in its CPS(s) and repository the fact that Hongkong Post CA issues both recognized and non-recognized certificates;
       2. draw the attention of its subscribers and persons who may rely upon those non-recognized certificates to the significance of using and relying upon those certificates;
       3. use separate private keys to sign recognized and non-recognized certificates respectively; and
       4. use separate repositories to publish recognized and non-recognized certificates.

       It is noted from the response of Hongkong Post CA that compliance measures for the requirements mentioned above have been taken;

    2. the GCIO considered that the matter had no significant impact to the trustworthiness of the recognized CA operation of Hongkong Post CA based on past assessment results and the clarification provided by Hongkong Post CA that the keys and repository for its recognized CA service have not been used for the non-recognized certificates.

Statutory Declaration

A. Date of the Declaration

• The date of the declaration is 19 January 2009.

B. Material Information

• A responsible officer of Hongkong Post CA declares that Hongkong Post CA has, from 1 January 2008 until 31 December 2008, complied with the provisions of the Ordinance and the provisions of the Code of Practice which have been set out under paragraph 2 of Appendix 2 of the Code of Practice.

Notes

1. Code of Practice for Recognized Certification Authorities issued by the GCIO under section 33 of the Ordinance.
2. Practice Note 870 "The Assessment of Certification Authorities under the Electronic Transactions Ordinance" issued by the Hong Kong Institute of Certified Public Accountants.
3. Certification practice statements.
4. Recognized certification authority.
5. Matter disclosed from the assessment.
6. E-Mice Solution (HK) Limited is the outsourcing contractor of Postmaster General in operating Postmaster General's CA operation.
7. The response to the matter arising as reported by Hongkong Post CA and the notes in the above paragraphs are disclosed in accordance with section 31(2) of the Ordinance.