Disclosure Records of Recognized Certification Authorities
Disclosure Record for the Postmaster General
(This is page 25 of the disclosure record for the Postmaster General maintained by the Government Chief Information Officer (GCIO) under section 31(1) of the Electronic Transactions Ordinance (Cap. 553) (ETO). Click this link to go back to page 1 of the disclosure record.)
Assessment Report and Statutory Declaration in respect of the Issuance of Bank-Cert (Personal), Bank-Cert (Corporate) and Bank-Cert (Bank)
Postmaster General (hereinafter referred to as Hongkong Post CA (HKPCA)) planned to issue recognized digital certificates, namely Bank-Cert (Personal), Bank-Cert (Corporate) and Bank-Cert (Bank), for the e-Cheque initiative. The issuance of the recognized digital certificates will, among others, involve the following major changes:
- there will a new root CA and a new sub CA to issue the proposed types of certificates;
- system changes to the systems, software and procedures will be introduced;
- a subcontract will be made between the operator of HKPCA and the bank as a Registration Bank;
- the bank's Know-Your-Customer process will be relied on for identity verification of the subscribers; and
- the Front Office of the Registration Bank will handle the generation and management of subscriber's key pairs on behalf of the subscriber.
The GCIO considered that the changes involved in the issuance of recognized digital certificates are major changes. In this light, the GCIO had, by notice given to the HKPCA, required the HKPCA to furnish to the GCIO an assessment report and a statutory declaration pursuant to section 43A(1) of the ETO. In this connection, the HKPCA arranged the preparation of an assessment report produced by an independent assessor as well as furnished a statutory declaration made by a responsible officer of the HKPCA in relation to the issuance of recognized digital certificates for the e-Cheque initiative.
In accordance with section 43A(3) of the ETO, the GCIO must publish in the disclosure record for the HKPCA as a recognized CA the dates of and the material information in the assessment report and statutory declaration on the CA services of the HKPCA. Only those parts of the report and statutory declaration containing material information are herewith published.
Assessment Report
A. Date of the Report
- The date of the report is 28 October 2015.
B. Material Information
- in the assessor's opinion, in all material respects,
- The management assertions in respect of the capability of HKPCA, with Certizen as its agent, in connection to the major changes, to comply with the relevant provisions of the ETO applicable to a RCA (see Note 1) and the COP (see Note 2) that are set out in paragraph 1 of Appendix I of the Notice (see Note 3) are reasonable as of the date of this report. In particular, HKPCA with Certizen as its agent:
- is capable of disclosing its business practices associated with the major changes in its Bank-Cert CPS (see Note 4) in accordance with the provisions of the ETO applicable to a RCA and the COP and providing its services in accordance with its disclosed business practices;
- has reasonably complied with the requirements in respect of the use of a trustworthy system to support its operations in relation to the major changes in accordance with section 37 of the ETO and the COP; and
- has reasonably complied with the requirements in respect of the recognition of its certificates in relation to the major changes in accordance with the provisions of the ETO applicable to a RCA and the COP.
- the management assertions in respect of the capability of HKPCA, with Certizen as its agent, in connection to the major changes, to comply with the issuance of Bank-Cert for e-Cheque initiative are reasonable as of the date of this report, specifically,
- compliance between its Bank-Cert CPS and the provisions in the issuance of Bank-Cert CPS for e-Cheque initiative are reasonable; and
- its capability to comply with the provisions of its Bank-Cert CPS and the issuance of Bank-Cert CPS for e-Cheque initiative are reasonable.
More specifically, HKPCA with Certizen as its agent:
- has established relevant business process to provide certification services and related infrastructure regarding the major changes in accordance with the provisions of the Bank-Cert CPS.
- The management assertions in respect of the capability of HKPCA, with Certizen as its agent, in connection to the major changes, to comply with the relevant provisions of the ETO applicable to a RCA (see Note 1) and the COP (see Note 2) that are set out in paragraph 1 of Appendix I of the Notice (see Note 3) are reasonable as of the date of this report. In particular, HKPCA with Certizen as its agent:
Statutory Declaration
A. Date of the Statutory Declaration
- The date of the declaration is 13 November 2015.
B. Material Information
- Having regard to HKPCA's revamping the existing recognized digital certificates, Bank-Cert (Personal)/(Corporate), and issuing a new type of recognized digital certificate, namely Bank-Cert (Bank), a responsible officer of HKPCA declares that HKPCA as an RCA is capable of complying with the provisions of the ETO and the provisions of the Code of Practice which have been set out under paragraph 2 of Appendix I of the Notice from the GCIO dated 26 August 2015 (see Note 5).
Notes
- Recognized Certification Authority (RCA).
- Code of Practice for Recognized Certification Authorities (COP) issued under section 33 of the ETO.
- Paragraph 1 of Appendix I of the Notice is reproduced below for reference:
1. For the purpose of section 43A(1)(c)(i) of the Electronic Transactions Ordinance (Cap. 553) (ETO)
1.1 The following provisions of the ETO shall come within the scope of the assessment.
- Part X – General Provisions as to Recognized CAs:
Sections 36, 37, 39, 40, 44 and 45(1). - Part XI – Provisions as to Secrecy, Disclosure and Offences:
Sections 46, 47 and 48.
1.2 The following provisions of the COP shall come within the scope of the assessment.
- General Responsibilities of a Recognized CA:
Paragraphs 3.1 to 3.6 inclusive and 3.8. - Certification Practice Statement:
Paragraphs 4.1 to 4.13 inclusive. - Trustworthy System:
Paragraphs 5.1 to 5.3 inclusive, 5.6 to 5.17 inclusive and 5.19 to 5.21 inclusive. - Certificates and Recognized Certificates:
Paragraphs 6.1 to 6.23 inclusive. - Verification of subscriber’s identity:
Paragraphs 7.1 to 7.2 inclusive. - Reliance Limit and Liability Cover
Paragraphs 8.1 to 8.4 inclusive. - Repositories:
Paragraphs 9.1 to 9.5 inclusive. - Disclosure of Information:
Paragraph 10.1. - Inter-operability:
Paragraphs 15.1 and 15.2. - All paragraphs in Appendix 1 of the Code of Practice.
- Part X – General Provisions as to Recognized CAs:
- Certification Practice Statement (CPS).
- Paragraph 2 of Appendix I of the Notice is reproduced below for reference:
2. For the purpose of section 43A(1)(d)(i) of the ETO
2.1 A responsible officer of Postmaster General (PMG) shall make a statutory declaration which states that, having regard to PMG’s plan to revamp the existing recognized digital certificates, Bank-Cert (Personal)/(Corporate), and issue a new type of recognized digital certificate, namely Bank-Cert (Bank), PMG is capable of complying with the following provisions of the COP:
- General Responsibilities of a Recognized CA:
Paragraphs 3.7 and 3.9. - Trustworthy System:
Paragraph 5.18. - Disclosure of Information:
Paragraphs 10.7 to 10.9 inclusive. - Consumer Protection:
Paragraph 16.1.
- General Responsibilities of a Recognized CA:
