Search Menu
Language Menu
Mobile Menu
Search
OGCIO
Home
Our Work
Strategies & Government IT InitiativesLegal Framework & Domain Name AdministrationCommunity Initiatives & IT ServicesBusiness & Industry DevelopmentIT Infrastructure & StandardsInformation & Cyber Security
Legal Framework & Domain Name Administration
Electronic Transactions Ordinance (Chapter 553)Domain Name Administration
Electronic Transactions Ordinance (Chapter 553)
Electronic Transactions Ordinance (Chapter 553)The OrdinanceVoluntary Certification Authority Recognition SchemeDigital Certificates for Electronic TransactionsLegislative Council PapersFrequently Asked QuestionsGlossaryUseful LinksContacts
Voluntary Certification Authority Recognition Scheme
IntroductionDisclosure Records of Recognized Certification AuthoritiesRecognition of Certification Authorities & CertificatesApplication for RecognitionApplication for Participation in Mutual Recognition of Electronic Signature CertificatesCode of Practice for Recognized Certification AuthoritiesList of recognized certificates available for subscriptions
Recognition of Certification Authorities & Certificates
< Back

Recognition of Certification Authorities and Certificates

Under the Electronic Transactions Ordinance ("ETO"), the Government Chief Information Officer ("GCIO") is the authority for granting recognition to certification authorities ("CAs") and to the certificates that recognized CAs issue. Recognition will only be granted to those CAs and digital certificates that meet the trustworthiness standard and other requirements of the Government. Recognition of CAs and certificates is governed under relevant provisions of the ETO.

Recognition as a Recognized CA

  1. Section 21(4) of the ETO states that in determining whether the applicant is suitable for recognition, the GCIO shall, in addition to any other matter the GCIO considers relevant, take into account the following -

    • whether the applicant has the appropriate financial status for operating as a recognized CA in accordance with the ETO and the Code of Practice for Recognized Certification Authorities ("Code of Practice");
    • the arrangements put in place or proposed to be put in place by the applicant to cover any liability that may arise from its activities relevant for the purposes of the ETO;
    • the system, procedure, security arrangements and standards used or proposed to be used by the applicant to issue certificates to subscribers;
    • the report, referred to in section 20(3)(b) of the ETO, which contains an assessment as to whether the applicant is capable of complying with the provisions of the ETO and of the Code of Practice as are specified in the Code of Practice (such provisions are specified under paragraph 1 of Appendix 2 of the Code of Practice); or
      the statutory declaration, referred to in section 20(3)(c) of the ETO, which states whether the applicant is capable of complying with the provisions of the ETO and of the Code of Practice as are specified in the Code of Practice (such provisions are specified under paragraph 2 of Appendix 2 of the Code of Practice);
    • whether the applicant and its responsible officers are fit and proper persons; and
    • the reliance limits set or proposed to be set by the applicant for its certificates.
  2. Regarding the report as referred in section 20(3)(b) of the ETO, a CA applying for recognition must furnish to the GCIO a report containing an assessment as to whether the CA is capable of complying with the provisions of the ETO and of the Code of Practice as are specified in the Code of Practice (such provisions are specified under paragraph 1 of Appendix 2 of the Code of Practice). The report shall be prepared by a person approved by the GCIO as being qualified to make such a report. Qualifications of the person are set out in section 12 of the Code of Practice. A CA shall apply to the GCIO for approval that the person whom the CA intends to engage for the preparation of an assessment report is a qualified person under the ETO, and furnish the GCIO with the PDF file format required documents and information in respect of the application.
  3. The validity period for recognition of a CA will normally be three years. The recognized CA may apply to the GCIO for renewal of the recognition.

Recognition of Certificate

  1. A recognized CA may apply to the GCIO for recognition of some or all of its certificates. If the CA is not yet a recognized CA, the CA shall submit an application for recognition for itself as well as for its certificates. The recognition of the certificates will only be considered after the GCIO has granted recognition to the CA concerned.
  2. In general, as long as a recognized CA maintains its recognition status, the recognition status of a recognized certificate issued by the recognized CA will not change provided that the relevant certification practice statement ("CPS"), including the relevant certificate policy that governs the recognized certificate, has not materially changed.
  3. Section 22(5) of the ETO states that for the recognition of a particular certificate or a type, class or description of certificates, the GCIO shall, in addition to any other matter the GCIO considers relevant, take into account the following -

    • whether the certificate(s) are issued in accordance with the recognized CA's CPS;
    • whether the certificate(s) are issued in accordance with the Code of Practice;
    • the reliance limit set or proposed to be set for that particular certificate, or that type, class or description of certificates, as the case may require; and
    • the arrangements put in place or proposed to be put in place by the recognized CA to cover any liability that may arise from the issue of that particular certificate, or that type, class or description of certificates, as the case may be.

Application for Recognition

Regarding application for recognition/renewal of recognition as a recognized CA and/or recognition of certificates, please refer to Application for Recognition.

Note:
The information in this web page is not intended to affect your rights and obligations. It is not intended to be relied upon as a statement of the legal position and you should consult your legal adviser before acting upon the information.

 

Related LinksDomain Name Administration
The Best is Yet to Come - Innovation and Technology
The 2024-25 Budget
The Chief Executive’s 2023 Policy Address
Facilitating of the Cross-boundary Data Flow within the Greater Bay Area
Exhibition of the 3rd Anniversary of Hong Kong National Security Law
You can stop corruption. Report Now!
ICT Outreach Programme for the Elderly
MSW Charging
Let Social Enterprises Bloom!
Legislative Control of Cannabidiol (CBD)
National Security Education Day
“Maker in China” SME Innovation and Entrepreneurship Global Contest - Hong Kong Chapter)
Electronic Health Record Sharing System (eHealth)
Improve Electoral System Ensure Patriots Administering Hong Kong
Support Clean Elections
iAM Smart Safe and Swift
CSDI website
Safeguarding National Security
Multi-functional Smart Lampposts
Fact Sheet : Office of the Government Chief Information Officer
ICT Event Calendar
Smart Government Innovation Lab
talent.gov.hk
New Patent System
Prohibition on Face Covering Regulation
Elderly IT Learning Portal
Hong Kong Legal Hub
Guangdong-Hong Kong-Macao Greater Bay Area
Cybersec Infohub
Corruption Prevention Advisory Service
Approved Fund-raising Activities
Cyber Security Information Portal
Hong Kong's Legal Services
IT Career Role Models Platform
Hong Kong Smart City Blueprint Portal
Web Accessibility Campaign - Making Web Content Available for All
Mutual Recognition of Electronic Signature Certificates issued by Hong Kong and Guangdong
The InfoCloud portal
Marketing Consultancy Office (Rehabilitation)
Developing Datacentre in Hong Kong
Wi-Fi․HK
GovHK Website
Government Computer Emergency Response Team Hong Kong (GovCERT․HK)
DATA․GOV․HK
CCLI Webste
CEPA
Hong Kong/Guangdong Expert Group on Co-operation in Informatisation
Hong Kong ICT Awards
INFO SEC
Student IT Corner
PreviousNext