Disclosure Records of Recognized Certification Authorities

Disclosure Record for the Postmaster General

(This is page 31 of the disclosure record for the Postmaster General maintained by the Government Chief Information Officer (“GCIO”) under section 31(1) of the Electronic Transactions Ordinance (Cap. 553) (“ETO”). Click this link to go back to page 1 of the disclosure record.)

Assessment Report and Statutory Declaration in respect of the enhancement of Hongkong Post e-Cert (Organisational Role)

Postmaster General (hereinafter referred to as Hongkong Post CA (“HKPCA”)) planned to enhance the certificate processing model of e-Cert (Organisational Role) (“e-Cert (OR)”). The enhancement will, among others, involve the following major changes:

1. a new system interface between HKPCA and Hospital Authority (“HA”) to process electronic submission of certificate requests and related certification services;
2. changes in network system and corresponding updates to the network system of the disaster recovery environment of HKPCA’s system;
3. new procedures to handle generation and management of subscriber key pairs, and electronic submission of certificate signing requests and transfer of e-Cert (OR) certificates;
4. changes in the sub-contracting agreement to cover new roles, responsibilities and obligations under the enhanced certificate processing model; and
5. new procedure to integrate with the enhanced certificate processing workflow.

The GCIO considered that the changes involved in the enhancement of e-Cert(OR) are major changes. In this light, the GCIO had, by notice given to the HKPCA, required the HKPCA to furnish to the GCIO an assessment report and a statutory declaration pursuant to section 43A(1) of the ETO. In this connection, the HKPCA arranged the preparation of an assessment report produced by an independent assessor as well as furnished a statutory declaration made by a responsible officer of the HKPCA in relation to the enhancement of e-Cert(OR).

In accordance with section 43A(3) of the ETO, the GCIO must publish in the disclosure record for the HKPCA as a recognized CA the dates of and the material information in the assessment report and statutory declaration on the CA services of the HKPCA. Only those parts of the report and statutory declaration containing material information are herewith published.

Assessment Report

A. Date of the Report

• The date of the report is 29 November 2019.

B. Material Information

1. In the assessor's opinion, in all material respects:
   1. the management assertions, in respect of HKPCA’s capability to comply with the relevant sections of the COP (see Note 1) set out in Part 3A of Appendix 3 to PN-870 (see Note 2) as a result of the major changes for the enhancement of the Certificate Processing Model of e-Cert (OR) (see Note 3) as of the report issuance date, are reasonable. In particular, HKPCA is capable of:
      1. disclosing its business practices in its CPS (see Note 4) in accordance with international standards / industry practices with reference to the WebTrust standard and the applicable ETO and COP provisions and providing its services in accordance with its disclosed business practices; and
      2. reasonably complying with the relevant requirements in respect of the use of a trustworthy system and repositories implemented through such trustworthy system, where they are affected by the major changes for the enhancement of the Certificate Processing Model of e-Cert (OR).
   2. no information came to the assessor’s attention during the course of the assessment that would indicate that the management assertions, in respect of HKPCA’s capability to comply with the relevant sections of the COP set out in Part 3B of Appendix 3 to PN-870 as a result of the major changes for the enhancement of the Certificate Processing Model of e-Cert (OR), as of the report issuance date, are not reasonable;
   3. HKPCA has reasonably complied with international standards / industry practices with reference to the WebTrust standard and the applicable ETO and COP provisions for the major changes for the enhancement of the Certificate Processing Model of e-Cert (OR).
   4. The enhancement of the Certificate Processing Model of e-Cert (OR) is largely based on its existing technology and resources of HKPCA with Certizen as its Agent. It is considered that there are no material changes in the financial status of the RCA (see Note 5) for operating as such in accordance with the ETO and COP; and
   5. HKPCA with Certizen as its Agent has taken steps to put in place insurance arrangement to ensure that it is capable of covering the potential liabilities arising from or related to issuance and use of HKPCA’s certificates due to the major changes for the enhancement of the Certificate Processing Model of e-Cert (OR).

Statutory Declaration

A. Date of the Declaration

• The date of the declaration is 4 December 2019.

B. Material Information

• Having regard to enhancing Certificate Processing Model of e-Cert (OR), a responsible officer of Hongkong Post CA declares that Hongkong Post CA as an RCA is capable of complying with the provisions of the ETO and the provisions of the COP which have been set out under paragraph 2 of Appendix of Annex I of the memorandum from GCIO dated 13 February 2019 (see Note 6).

Notes

1. Code of Practice for Recognized Certification Authorities (“COP”) issued by the GCIO under section 33 of the ETO.
2. Practice Note 870 "The Assessment of Certification Authorities under the Electronic Transactions Ordinance" issued by the Hong Kong Institute of Certified Public Accountants.
3. Paragraph 1 of Appendix of Annex I of the notice is reproduced below for reference:
   1. 1 For the purpose of section 43A(1)(c)(i) of the ETO
   2. 1.1 The following provisions of the ETO shall come within the scope of the assessment.
      1. Part X - General Provisions as to Recognized CAs:
         Sections 36, 37, 39, 40, 44 and 45(1).
      2. Part XI - Provisions as to Secrecy, Disclosure and Offences:
         Sections 46, 47 and 48.
   3. 1.2 The following provisions of the COP shall come within the scope of the assessment.
      1. General Responsibilities of a Recognized CA:
         Paragraphs 3.1 to 3.6 inclusive and 3.8.
      2. Certification Practice Statement:
         Paragraphs 4.1 to 4.13 inclusive.
      3. Trustworthy System:
         Paragraphs 5.1 to 5.3 inclusive, 5.6 to 5.17 inclusive and 5.19 to 5.21 inclusive.
      4. Certificates and Recognized Certificates:
         Paragraphs 6.1 to 6.23 inclusive.
      5. Verification of subscriber’s identity:
         Paragraphs 7.1 to 7.2 inclusive.
      6. Reliance Limit and Liability Cover
         Paragraphs 8.1 to 8.4 inclusive.
      7. Repositories:
         Paragraphs 9.1 to 9.5 inclusive.
      8. Disclosure of Information:
         Paragraphs 10.1 to 10.6 inclusive.
      9. Inter-operability:
         Paragraphs 15.1 and 15.2.
      10. All paragraphs in Appendix 1 of the Code of Practice.
4. Certification Practice Statement (CPS).
5. Recognized Certification Authority (RCA).
6. Paragraph 2 of Appendix of Annex I of the notice is reproduced below for reference:
   1. 2. For the purpose of section 43A(1)(d)(i) of the ETO
   2. 2.1 A responsible officer of PMG shall make a statutory declaration which states that, having regard to PMG’s plan to enhance the certificate processing model of e-Cert (OR), PMG is capable of complying with the following provisions of the COP.
      1. General Responsibilities of a Recognized CA:
         Paragraphs 3.7 and 3.9.
      2. Trustworthy System:
         Paragraph 5.18.
      3. Disclosure of Information:
         Paragraphs 10.7 to 10.9 inclusive.
      4. Consumer Protection:
         Paragraph 16.1.