SearchLanguageMobile menu

OGCIO

Types of Digital Certificates

There are various types of digital certificates in use in Hong Kong. According to the Electronic Transactions Ordinance (Cap. 553) (ETO), recognized digital certificates can only be issued by recognized certification authorities (CAs) following the requirements as stipulated in its Certification Practice Statement which should be prepared in accordance with the requirements specified in the Code of Practice for Recognized Certification Authorities (Code of Practice).

Recognized digital certificates issued in Hong Kong are mainly classified into the following types presently. From time to time, recognized CAs may apply to Government Chief Information Officer for recognition of new type of digital certificates. Once recognized, they can be used to generate digital signatures that can fulfill the signature requirements under the law when transacting with Government.

Types of Recognized Digital Certificates Types of Users Main Purposes of Use
Personal Individuals For individuals to conduct secure message transmissions as well as electronic transactions by means of encryption/decryption and digital signing to prove their identity to third parties
Organisational Staff of Organisations (Note 1) For staff of organisations to conduct secure message transmissions as well as electronic transactions by means of encryption/decryption and digital signing for and on behalf of their organisations
Encipherment Individuals or Staff of Organisations (Note 1) For individuals or staff of organisations to conduct secure message transmissions by means of encryption/decryption
Server Single or Multiple Servers / Web sites of Organisations (Note 1) For single or multiple server(s) authentication, by using one Server certificate, to verify the identity of web site(s) to the client browser and communicate in Secure Socket Layer (SSL) messages
Governmental Staff of Government bureaux/departments (Note 2) For staff of Government bureaux/departments to conduct secure message transmissions as well as electronic transactions by means of encryption/decryption and digital signing for and on behalf of their bureaux/departments used for the purposes as designated by their bureaux/departments
Organisational Role Staff of Organisations (Note 1 and 2) For staff of organisations to conduct secure message transmissions as well as electronic transactions by means of encryption/decryption and digital signing for and on behalf of their role in the organisations used for the applications as designated by their organisations

Currently, Hongkong Post Certification Authority issues recognized digital certificates under the brand name of "e-Cert", whereas the Digi-Sign Certification Services Limited issues digital certificates with the brand name of "ID-Cert".

More information on the "e-Cert" and "ID-Cert" issued by the two recognized CAs is as follows:

Note 1: Organisations include Government bureaux/departments, non-Government organisations, universities/schools, private companies, etc.

Note 2: Offer of this type of recognized digital certificates requires prior arrangement between the recognized CA and the subscriber organisation.

Issuance of 2048-bit Digital Certificate

The industry has been enhancing IT products and services for supporting the use of 2048-bit cryptographic key length for asymmetric encryption by end 2013. Electronic services currently adopting 1024-bit key should be enhanced to support 2048-bit key so as to provide adequate security strength for encryption and digital signing. Both recognized certification authorities have promulgated their plans on the issuance of 2048-bit recognized digital certificates. The beneficial use of 2048-bit digital certificates will further strengthen security level to ensure the robustness of secure information exchange and electronic transactions. More information on their plans is as follows:

Issuance of Digital Certificate using SHA-256 Cryptographic Hash Algorithm

To follow the industry trend of adopting SHA-256 cryptographic hash algorithm in SSL certificates for higher level of security for electronic transactions, Hongkong Post Certification Authority (HKPCA) will issue e-Cert (Server) using SHA-256 cryptographic hash algorithm in phases. More information of its plan is as follows:

Issuance of Server Digital Certificate Supporting Online Certificate Status Protocol

The industry has already started to issue server digital certificates supporting Online Certificate Status Protocol (OCSP) in recent years.  OCSP is an alternative to Certificate Revocation List (CRL) for obtaining the revocation status of digital certificates.  To be in line with industry practice, Hongkong Post Certification Authority will issue e-Cert (Server) supporting OCSP in phases. More information of its plan is as follows: