Disclosure Records of Recognized Certification Authorities
Disclosure Record for the Postmaster General
(This is page 19 of the disclosure record for the Postmaster General maintained by the Government Chief Information Officer (GCIO) under section 31(1) of the Electronic Transactions Ordinance (Cap. 553) (ETO). Click this link to go back to page 1 of the disclosure record.)
Assessment Report and Statutory Declaration in respect of the Issuance of e-Cert (Organisational Role) Certificate
Postmaster General (hereinafter referred to as Hongkong Post CA) planned to issue a new type of recognized certificate, namely e-Cert (Organisational Role), for the Hospital Authority (HA). The issuance of this new type of recognized certificate would involve a) HA will be appointed as a registration authority to accept certificate application and perform identity authentication for the new type of certificate with 1 – 4 years of validity period; b) introduction of new certificate application procedures, which involves new systems maintained by HA, for submission of the application information to the Hongkong Post CA; c) new application will be developed in Hongkong Post CA’s system to process the application information submitted by HA via email; and d) relevant identity documents (e.g. HKID or passport) of the certificate applicants will be kept by HA, instead of Hongkong Post CA, as evidence for verification of their identity.
The GCIO considered that the changes as set out in the preceding paragraph as major changes. In this light, the GCIO had, by notice given to the Hongkong Post CA, required the Hongkong Post CA to furnish to the GCIO an assessment report and a statutory declaration pursuant to section 43A(1) of the ETO. In this connection, the Hongkong Post CA arranged the preparation of an assessment report produced by an independent assessor as well as furnished a statutory declaration made by a responsible officer of the Hongkong Post CA in respect of the issuance of e-Cert (Organisational Role) certificate.
In accordance with section 43A(3) of the ETO, the GCIO must publish in the disclosure record for the Hongkong Post CA as a recognized CA the dates of and the material information in the assessment report and statutory declaration on the CA services of the Hongkong Post CA. Only those parts of the report and statutory declaration containing material information are herewith published.
Assessment Report
A. Date of the Report
- The date of the report is 13 September 2012.
B. Material Information
- In the assessor's opinion, in all material respects, the management assertions in respect of the capability of HongKong Post CA, with Certizen as its agent and HA as the agent of Certizen, in connection to the major changes, to comply with the relevant sections of the ETO applicable to a RCA (see Note 1) and COP (see Note 2) that are set out in Annex II of the Notice (see Note 3), are reasonable as of the date of this report. In particular, HongKong Post CA, with Certizen as its agent and HA as agent of Certizen:
- is capable of disclosing its business practices associated with the e-Cert (Organisational Role) certificate in its CPSs (see Note 4) in accordance with the provisions of the ETO applicable to a RCA and the COP and providing its services in accordance with its disclosed business practices;
- has reasonably complied with the requirements in respect of the use of a trustworthy system to support HongKong Post CA’s operations in relation to the issuance of the e-Cert (Organisational Role) in accordance with section 37 of the ETO and the COP;
- has reasonably complied with the requirements in respect of the recognition of HongKong Post CA’s certificates in relation to the issuance of the e-Cert (Organisational Role) in accordance with the provisions of the ETO applicable to a RCA and the COP;
- has reasonably satisfied the relevant provision of ETO applicable to a RCA and COP that are set out in Annex II in the Notice from GCIO (see Note 2) regarding the issuance of e-Cert (Organisational Role) certificate; and
- has arrangement of appropriate insurance cover, also covering the liabilities of HA, in relation to the issuance of the e-Cert (Organisational Role).
Statutory Declaration
A. Date of the Statutory Declaration
- The date of the declaration is 10 October 2012
B. Material Information
- Having regard to the issuance of the e-Cert (Organisational Role), a responsible officer of Hongkong Post CA declares that HongKong Post CA as a RCA is capable of complying with the provisions of the Code of Practice (see Note 2) which have been set out under paragraph 2 of Appendix 2 of the Code of Practice.
Notes
- Recognized certification authority.
- Code of Practice for Recognized Certification Authorities (version 3.0) issued under section 33 of the ETO.
- Paragraph 1 of Annex II of the Notice from the GCIO is reproduced below for reference:
Relevant Provisions of the ETO
- Part X – General Provisions as to Recognized CAs:
Sections 36, 37, 39, 40, 44 and 45(1). - Part XI – Provisions as to Secrecy, Disclosure and Offences:
Section 46, 47 and 48.
- Part X – General Provisions as to Recognized CAs:
-
Relevant Provisions of the Code of Practice
- General Responsibilities of a Recognized CA:
Paragraphs 3.1 to 3.6 inclusive and 3.8. - Certification Practice Statement:
Paragraphs 4.1 to 4.13 inclusive. - Trustworthy System:
Paragraphs 5.1 to 5.3 inclusive, 5.6 to 5.17 inclusive and 5.19 to 5.21 inclusive. - Certificates and Recognized Certificates:
Paragraphs 6.1 to 6.23 inclusive. - Verification of Subscriber's Identity:
Paragraphs 7.1 to 7.2 inclusive. - Reliance Limit and Liability Cover:
Paragraphs 8.1 to 8.4 inclusive. - Repositories:
Paragraphs 9.1 to 9.5 inclusive. - Disclosure of Information:
Paragraph 10.1. - Inter-operability:
Paragraphs 15.1 and 15.2. - All paragraphs in Appendix 1 of the Code of Practice.
- General Responsibilities of a Recognized CA:
- Certification Practice Statement (CPS).
- The notes in the above paragraphs are disclosed in accordance with section 31(2) of the ETO.
