Disclosure Records of Recognized Certification Authorities

Disclosure Record for the Postmaster General

(This is page 23 of the disclosure record for the Postmaster General maintained by the Government Chief Information Officer (GCIO) under section 31(1) of the Electronic Transactions Ordinance (Cap. 553) (ETO). Click this link to go back to page 1 of the disclosure record.)

Assessment Report and Statutory Declaration in respect of the issuance of e-Cert (Personal) with Mutual Recognition Status and e-Cert(Organisational) with Mutual Recognition Status

Postmaster General (hereinafter referred to as Hongkong Post CA) planned to enhance two types of existing recognized certificates, namely e-Cert (Personal) certificate and e-Cert (Organisational) certificate for participation in the mutual recognition scheme under the "Arrangement for Mutual Recognition of Electronic Signature Certificates Issued by Hong Kong and Guangdong".

The GCIO considered that the changes involved in the above initiative as major changes.  In this light, the GCIO had, by notice given to the Hongkong Post CA, required the Hongkong Post CA to furnish to the GCIO an assessment report and a statutory declaration pursuant to section 43A(1) of the ETO.  In this connection, the Hongkong Post CA arranged the preparation of an assessment report produced by an independent assessor as well as furnished a statutory declaration made by a responsible officer of the Hongkong Post CA in respect of the enhancement of aforesaid certificate types

In accordance with section 43A(3) of the ETO, the GCIO must publish in the disclosure record for the Hongkong Post CA as a recognized CA the dates of and the material information in the assessment report and statutory declaration on the CA services of the Hongkong Post CA. Only those parts of the report and statutory declaration containing material information are herewith published.

Assessment Report

A. Date of the Report

• The date of the report is 27 November 2014.

B. Material Information

1. In the assessor's opinion, in all material respects,
   1. The management assertions in respect of the capability of HKPCA, with Certizen as its agent, in connection to the major changes, to comply with the relevant provisions of the ETO applicable to a RCA (see Note 1) and the Code of Practice (see Note 2) that are set out in paragraph 1 of Appendix I of the Notice (see Note 3) and the MRCP (see Note 4) are reasonable (see Note 5) as of the date of this report. In particular, HKPCA with Certizen as its agent:
      1. is capable of disclosing its business practices associated with the major changes in its e-Cert CPS (see Note 6) in accordance with the provisions of the ETO applicable to a RCA, the COP and the MRCP and providing its services in accordance with its disclosed business practices;
      2. has reasonably complied with the requirements in respect of the use of a trustworthy system to support its operations in relation to the major changes in accordance with section 37 of the ETO, the COP and the MRCP; and
      3. has reasonably complied with the requirements in respect of the recognition of its certificates in relation to the major changes in accordance with the provisions of the ETO applicable to a RCA, the COP and the MRCP.
   2. the management assertions in respect of the capability of HKPCA, with Certizen as its agent, in connection to the major changes, to comply with the MRCP are reasonable as of the date of this report, specifically,
      1. compliance between its e-Cert CPS and the provisions in the MRCP are reasonable; and
      2. its capability to comply with the provisions of its e-Cert CPS and the MRCP are reasonable.

Statutory Declaration

A. Date of the Statutory Declaration

• The date of the declaration is 31 December 2014.

B. Material Information

• Having regard to the issuance of e-Cert (Personal) and e-Cert (Organisational) certificates for participation in the Mutual Recognition Scheme for Certificates, a responsible officer of Hongkong Post CA declares that Hongkong Post CA as a RCA is capable of complying with the provisions of the ETO and the provisions of the Code of Practice and the MRCP which have been set out under paragraph 2 of Appendix 1 of the notice from GCIO dated 30 September 2014 (Note 7).

Notes

1. Recognized certification authority.
2. Code of Practice for Recognized Certification Authorities issued under section 33 of the ETO.
3. Paragraph 1 of Appendix I of the notice is reproduced below for reference:

   For the purpose of section 43A(1)(c)(i) of the ETO  1.1 The following provisions of the ETO shall come within the scope of the assessment. Part X – General Provisions as to Recognized CAs: Sections 36, 37, 39, 40, 44 and 45(1). Part XI – Provisions as to Secrecy, Disclosure and Offences: Sections 46, 47 and 48. 1.2 The following provisions of the Code of Practice shall come within the scope of the assessment. General Responsibilities of a Recognized CA: Paragraphs 3.1 to 3.6 inclusive and 3.8. Certification Practice Statement: Paragraphs 4.1 to 4.13 inclusive. Trustworthy System: Paragraphs 5.1 to 5.3 inclusive, 5.6 to 5.17 inclusive and 5.19 to 5.21 inclusive. Certificates and Recognized Certificates: Paragraphs 6.1 to 6.23 inclusive. Verification of subscriber’s identity: Paragraphs 7.1 to 7.2 inclusive. Reliance Limit and Liability Cover Paragraphs 8.1 to 8.4 inclusive. Repositories: Paragraphs 9.1 to 9.5 inclusive. Disclosure of Information: Paragraph 10.1. Inter-operability: Paragraphs 15.1 and 15.2. All relevant paragraphs in Appendix 1 of the Code of Practice, which are applicable to the requirements stipulated in the MRCP.

4. The Certificate Policy for Mutual Recognition of Electronic Signature Certificates.
5. With reference to the "Arrangement for Mutual Recognition of Electronic Signature Certificates Issued by Hong Kong and Guangdong" (in Chinese《粵港兩地電子簽名證書互認辦法》), please check the latest mutual recognition status of relevant digital certificates in the following trust list:  

   Traditional Chinese: https://www.ogcio.gov.hk/tc/our_work/business/mainland/cepa/mr_ecert/trust_list/index.html Simplified Chinese: https://www.ogcio.gov.hk/sc/our_work/business/mainland/cepa/mr_ecert/trust_list/index.html English: https://www.ogcio.gov.hk/en/our_work/business/mainland/cepa/mr_ecert/trust_list/index.html

6. Certification Practice Statement (CPS).
7. Paragraph 2 of Appendix I of the notice is reproduced below for reference:

   For the purpose of section 43A(1)(d)(i) of the ETO 2.1 A responsible officer of PMG shall make a statutory declaration which states that, having regard to PMG’s planned issuance of e-Cert (Personal) and e-Cert (Organisational) certificates, PMG is capable of complying with the following provisions of the Code of Practice: General Responsibilities of a Recognized CA: Paragraphs 3.7 and 3.9. Trustworthy System: Paragraph 5.18. Disclosure of Information: Paragraphs 10.7 to 10.9 inclusive. Consumer Protection: Paragraph 16.1. 2.2 A responsible officer of PMG shall make a statutory declaration which states that, having regard to PMG’s planned issuance of e-Cert (Personal) and e-Cert (Organisational) certificates, PMG is capable of complying with the MRCP.

8. The notes in the above paragraphs are disclosed in accordance with section 31(2) of the ETO.