Disclosure Records of Recognized Certification Authorities

Disclosure Record for the Postmaster General

(This is page 33 of the disclosure record for the Postmaster General maintained by the Government Chief Information Officer (“GCIO”) under section 31(1) of the Electronic Transactions Ordinance (Cap. 553) (“ETO”). Click this link to go back to page 1 of the disclosure record.)

Assessment Report and Statutory Declaration in respect of the issuance of Hongkong Post iAM Smart-Cert

Postmaster General (hereinafter referred to as Hongkong Post CA (“HKPCA”)) planned to issue new recognized certificate, iAM Smart-Cert, in support of iAM Smart of the Office of the Government Chief Information Officer (“OGCIO”).  The issuance of the recognized certificate will, among others, involve the following major changes:

1. changes in HKPCA infrastructure arising from the issuance of iAM Smart-Cert;
2. a new system interface between HKPCA and iAM Smart System of OGCIO to process electronic submission of applications for iAM Smart-Cert;
3. changes in the generation and management of iAM Smart-Cert;
4. new procedure to handle the application for iAM Smart-Cert;
5. new identity verification process for verifying the identity of the applicants and subscribers; and
6. new arrangement, and roles and responsibilities in supporting the operation of iAM Smart-Cert.

The GCIO considered that the changes involved in the issuance of iAM Smart-Cert are major changes. In this light, the GCIO had, by notice given to the HKPCA, required the HKPCA to furnish to the GCIO an assessment report and a statutory declaration pursuant to section 43A(1) of the ETO. In this connection, the HKPCA arranged the preparation of an assessment report produced by an independent assessor as well as furnished a statutory declaration made by a responsible officer of the HKPCA in relation to the issuance of iAM Smart-Cert.

In accordance with section 43A(3) of the ETO, the GCIO must publish in the disclosure record for the HKPCA as a recognized CA the dates of and the material information in the assessment report and statutory declaration on the CA services of the HKPCA. Only those parts of the report and statutory declaration containing material information are herewith published.

Assessment Report

A. Date of the Report

• The date of the report is 15 July 2020.

B. Material Information

1. In the assessor's opinion, in all material respects:
   1. the management assertions, in respect of HKPCA’s capability to comply with the relevant sections of the COP (see Note 1) set out in Part 3A of Appendix 3 to PN-870 (see Note 2) as a result of the major changes for the issuance of the iAM Smart-Cert (see Note 3) as of the report issuance date, are reasonable. In particular, HKPCA is capable of:
      
      1. disclosing its business practices in the iAM Smart-Cert Certification Practice Statement in accordance with international standards / industry practices with reference to the WebTrust standard and the applicable ETO and COP provisions and providing its services in accordance with its disclosed business practices; and
      2. reasonably complying with the relevant requirements in respect of the use of a trustworthy system and repositories implemented through such trustworthy system, where they are affected by the major changes for the issuance of the new recognized certificate iAM Smart-Cert.
   2. no information came to the assessor’s attention during the course of the assessment that would indicate that the management assertions, in respect of HKPCA’s capability to comply with the relevant sections of the COP set out in Part 3B of Appendix 3 to PN-870 as a result of the major changes for the issuance of the new recognized certificate iAM Smart-Cert, as of the report issuance date, are not reasonable;
   3. HKPCA has reasonably complied with international standards / industry practices with reference to the WebTrust standard and the applicable ETO and COP provisions for the major changes for the issuance of the new recognized certificate iAM Smart-Cert.
   4. The issuance of the new recognized certificate iAM Smart-Cert is largely based on its existing technology and resources of HKPCA infrastructure. It is considered that there are no material changes in the financial status of the RCA (see Note 4) for operating as such in accordance with the ETO and COP; and
   5. The requirement on insurance arrangement to cover the issuance of iAM Smart-Cert has been communicated to the agent’s designated insurer and it has already covered the issuance of iAM Smart-Cert. HKPCA with Certizen as its Agent has taken steps to put in place insurance arrangement to ensure that it is capable of covering the potential liabilities arising from or related to issuance and use of HKPCA’s certificates due to the major changes for the issuance of the new recognized certificate iAM Smart-Cert.

Statutory Declaration

A. Date of the Declaration

• The date of the declaration is 20 July 2020.

B. Material Information

• Having regard to issuing new recognized certificate iAM Smart-Cert, a responsible officer of Hongkong Post CA declares that Hongkong Post CA as an RCA is capable of complying with the provisions of the ETO and the provisions of the COP which have been set out under paragraph 2 of Appendix of Annex I of the memorandum from GCIO dated 16 April 2020 (see Note 5).

Notes

1. Code of Practice for Recognized Certification Authorities (“COP”) issued by the GCIO under section 33 of the ETO.

2. Practice Note 870 "The Assessment of Certification Authorities under the Electronic Transactions Ordinance" issued by the Hong Kong Institute of Certified Public Accountants.

3. Paragraph 1 of Appendix of Annex I of the notice is reproduced below for reference:

1 For the purpose of section 43A(1)(c)(i) of the ETO

1.1 The following provisions of the ETO shall come within the scope of the assessment.

1. 1. 1. Part X - General Provisions as to Recognized CAs:
         Sections 36, 37, 39, 40, 44 and 45(1).
      2. Part XI - Provisions as to Secrecy, Disclosure and Offences:
         Sections 46, 47 and 48.

1.2 The following provisions of the COP shall come within the scope of the assessment.

1. 1. 1. General Responsibilities of a Recognized CA:
         Paragraphs 3.1 to 3.6 inclusive and 3.8.
      2. Certification Practice Statement:
         Paragraphs 4.1 to 4.13 inclusive.
      3. Trustworthy System:
         Paragraphs 5.1 to 5.3 inclusive, 5.6 to 5.17 inclusive and 5.19 to 5.21 inclusive.
      4. Certificates and Recognized Certificates:
         Paragraphs 6.1 to 6.23 inclusive.
      5. Verification of subscriber’s identity:
         Paragraphs 7.1 to 7.2 inclusive.
      6. Reliance Limit and Liability Cover
         Paragraphs 8.1 to 8.4 inclusive.
      7. Repositories:
         Paragraphs 9.1 to 9.5 inclusive.
      8. Disclosure of Information:
         Paragraphs 10.1 to 10.6 inclusive.
      9. Inter-operability:
         Paragraphs 15.1 and 15.2.
      10. All paragraphs in Appendix 1 of the Code of Practice.

4. Recognized Certification Authority (RCA)

5. Paragraph 2 of Appendix of Annex I of the notice is reproduced below for reference:

2. For the purpose of section 43A(1)(d)(i) of the ETO

2.1 A responsible officer of PMG shall make a statutory declaration which states that, having regard to PMG’s plan to issue iAM Smart-Cert, PMG is capable of complying with the following provisions of the COP.

1. 1. 1. General Responsibilities of a Recognized CA:
         Paragraphs 3.7 and 3.9.
      2. Trustworthy System:
         Paragraph 5.18.
      3. Disclosure of Information:
         Paragraphs 10.7 to 10.9 inclusive.
      4. Consumer Protection:
         Paragraph 16.1.