Types of Digital Certificates
There are various types of digital certificates in use in Hong Kong. According to the Electronic Transactions Ordinance (Cap. 553) (ETO), recognized digital certificates can only be issued by recognized certification authorities (CAs) following the requirements as stipulated in its Certification Practice Statement which should be prepared in accordance with the requirements specified in the Code of Practice for Recognized Certification Authorities (Code of Practice).
Recognized digital certificates issued in Hong Kong are mainly classified into the following types presently. From time to time, recognized CAs may apply to Government Chief Information Officer for recognition of new type of digital certificates. Once recognized, they can be used to generate digital signatures that can fulfill the signature requirements under the law when transacting with Government.
| Types of Recognized Digital Certificates | Types of Users | Main Purposes of Use |
|---|---|---|
| Personal | Individuals | To conduct secure message transmissions as well as electronic transactions by means of encryption/decryption and digital signing to prove their identity to third parties |
| Organisational | Staff of Organisations (Note 1) | To conduct secure message transmissions as well as electronic transactions by means of encryption/decryption and digital signing for and on behalf of their organisations |
| Encipherment |
Units of the Organisation (Note 1) |
To conduct secure message transmissions by means of encryption/decryption |
| Server | Single or Multiple Servers / Web sites of Organisations (Note 1) | To verify the identity of web site(s) to the client browser and communicate in Secure Socket Layer (SSL) messages |
| Governmental | Staff of Government bureaux/departments (Note 2) | To conduct secure message transmissions as well as electronic transactions by means of encryption/decryption and digital signing for and on behalf of the bureaux/departments used for the purposes as designated by their bureaux/departments |
| Organisational Role | Staff of Organisations (Note 1 and 2) |
To conduct secure message transmissions as well as electronic transactions by means of encryption/decryption and digital signing for and on behalf of their role in the organisations used for the applications as designated by their organisations |
| Bank | Personal/Corporate/Bank |
To create digital signature on e-Cheque |
|
“iAM Smart” |
Hong Kong residents (Note 3) | To conduct digital signing via the "iAM Smart" system to handle statutory documents and procedures |
Currently, Hongkong Post Certification Authority issues recognized digital certificates under the brand name of "e-Cert", whereas the Digi-Sign Certification Services Limited issues digital certificates with the brand name of "ID-Cert".
More information on the "e-Cert" and "ID-Cert" issued by the two recognized CAs is as follows:
- "e-Cert" issued by Hongkong Post Certification Authority
- "ID-Cert" issued by Digi-Sign Certification Services Limited
Note 1: Organisations include Government bureaux/departments, non-Government organisations, universities/schools, private companies, etc.
Note 2: Offer of this type of recognized digital certificates requires prior arrangement between the recognized CA and the subscriber organisation.
Note 3: There are two versions of "iAM Smart", namely "iAM Smart" and "iAM Smart+". iAM Smart-Certs are designated for the subscribers who are holders of "iAM Smart+" account to conduct digital signing with legal backing under the Electronic Transactions Ordinance. Hong Kong residents should apply for "iAM Smart+" through designated self-registration kiosk, registration service counter or mobile registration team. For more information on "iAM Smart", please refer to the “iAM Smart” Thematic Portal.
Issuance of 2048-bit Digital Certificate
The industry has been enhancing IT products and services for supporting the use of 2048-bit cryptographic key length for asymmetric encryption by end 2013. Electronic services currently adopting 1024-bit key should be enhanced to support 2048-bit key so as to provide adequate security strength for encryption and digital signing. Both recognized certification authorities have promulgated their plans on the issuance of 2048-bit recognized digital certificates. The beneficial use of 2048-bit digital certificates will further strengthen security level to ensure the robustness of secure information exchange and electronic transactions. More information on their plans is as follows:
- Hongkong Post Certification Authority's Transition Plan for Issuance of only 2048-bit RSA Key Length e-Cert (Server)
- Hongkong Post Certification Authority's Transition Plan for Issuance of e-Cert (Personal), e-Cert (Organisational) and e-Cert (Encipherment) with 2048-bit RSA Key Length
- Issuance of e-Cert (Personal), e-Cert (Organisational) and e-Cert (Encipherment) with 2048-bit RSA Key Length only by Hongkong Post Certification Authority with effect from 1 January 2014
- Digi-Sign Certification Services Limited's Plan for the Issuance of 2048-bit ID-Cert
Issuance of Digital Certificate using SHA-256 Cryptographic Hash Algorithm
To follow the industry trend of adopting SHA-256 cryptographic hash algorithm in SSL certificates for higher level of security for electronic transactions, Hongkong Post Certification Authority (HKPCA) will issue e-Cert (Server) using SHA-256 cryptographic hash algorithm in phases. More information of its plan is as follows:
Issuance of Server Digital Certificate Supporting Online Certificate Status Protocol
The industry has already started to issue server digital certificates supporting Online Certificate Status Protocol (OCSP) in recent years. OCSP is an alternative to Certificate Revocation List (CRL) for obtaining the revocation status of digital certificates. To be in line with industry practice, Hongkong Post Certification Authority will issue e-Cert (Server) supporting OCSP in phases. More information of its plan is as follows:
