@eLaw.com.hk 葉謝鄧律師行

Hongkong Post's new root certificate ("Hongkong Post Root CA 1") was admitted to the Microsoft Root Certificate Program

Starting from April 2004, Hongkong Post's new root certificate ("Hongkong Post Root CA 1") was admitted to the Microsoft Root Certificate Program, in addition to the old root certificate ("Hongkong Post Root CA") which had already been admitted in July 2003. The program aims at protecting Microsoft customers from security issues related to the use of public key infrastructure (PKI) certificates. This means that Internet Explorer and Outlook Express users of Windows XP and Windows 2003 will now trust certificates issued by Hongkong Post under the two root certificates.

Users on platforms before Windows XP can also pick up and install the two Hongkong Post root certificates to their operating systems when they perform the Windows Update at URL, http://windowsupdate.microsoft.com. Please note that Root Certificate Update is not a critical update and users need to explicitly click-open the optional Windows 98/ME/NT/2000 Update list to include the Root Certificate Update.

The admission of Hongkong Post to the Microsoft Root Certificate Program is a solid proof of the trustworthiness of the Hongkong Post CA System and e-Cert.

In accordance with section 31(1) of the Electronic Transactions Ordinance (Cap. 553) (the Ordinance), the Director of Information Technology Services must maintain for each recognized certification authority (CA) an on-line and publicly accessible record.

As at today, the following disclosure recrords are found on the following links:

1. Disclosure Record for Digi-Sign Certification Services Limited

2. Disclosure Record for HiTRUST.COM (HK) Incorporated Limited

3. Disclosure Record for the Postmaster General

Disclosure Record for Other Recognized CA

Currently, there is no other CA who is recognized under the Ordinance. Therefore, the above 3 CAs are the only recognised CA as at 23rd June 2004.

Archive of Disclosure Record for CA Whose Recognition Has Been Revoked

1. Disclosure Record for Joint Electronic Teller Services Limited

HiTRUST.COM (HK)

HiTRUST was incorporated in Hong Kong in August 2000. It is a joint venture of HiTRUST Incorporated and the New World Group.

Being a Recognized Certificate Authority certified by Hong Kong government as well as a VeriSign International Affiliate, HiTRUST.COM (HK) is specialized in the provision of managed digital certificate services to help enterprises sharpen its competence in the trust e-commerce world.

HiTRUST Incorporated

Founded in March 1998, HiTRUST's core business is the provision of solutions for secure eCommerce. In April 2000, HiTRUST.COM Incorporated was officially established with capital of about US$100 million. The major shareholders include Acer Group, HSBC, New World Group, AIG and VeriSign. The continuous growth of HiTRUST has been achieved through an unrivalled commitment to, and focus on, commercially successful, secure eCommerce.

Targeting the Greater China region, HiTRUST has been successfully providing leading-edge, trusted total solutions and customized, high added-value services including Commerce Content, eBusiness Operation, ePayment & eBilling, Financial Services Software, Application Server and eCommerce Security to the region's corporations, telecommunication companies, financial institutions and service providers.

HiTRUST's success depends on its product offerings and reputation for value and trust in the secure eCommerce industry. Early on, HiTRUST identified the opportunities developing in the region and has expanded its business operation into Taiwan, Hong Kong, Shanghai and Beijing, by opening its branch offices and strategic investment in eCommerce related businesses. In the future, HiTRUST will continuously offer industry-leading technologies and services to customers in the Greater China region and its brand will remain at the head of the region's secure eCommerce industry.

The conditions on using a digital certificate will deal with the liability of the certificate owner and the CA. The following is taken from the Certificate Practice Statement (CPS) of CA of the University of Science and Technology and are quoted here as an example:

Liability of Certificate Owner

Without limiting other certificate owner obligations stated in the CPS, certificate owners are liable for any mis-representation they make in certificates to third parties that, reasonably rely on the representations contained therein.

Liability of HKUST CA

HKUST CA :

· Does not warrant the accuracy, authenticity, completeness or fitness of any unverified information contained in certificates or otherwise compiled, published, or disseminated by or on behalf of HKUST CA.

· Shall not incur liability for representations of information contained in a certificate, provided the certificate content substantially complies with the CPS.

· Does not warrant "non-repudiation" of any certificate or message (because non-repudiation is determined exclusively by law and the applicable dispute resolution mechanism).

Certificate Internal Database is a database to keep track of the pending certificate request, issued or revoked certificate, private Certificate Revocation List (CRL), etc. Only RA and CA have the rights to update this database. A web user interface will be provided for users to query the status of their certificate requests and any issued or revoked certificate. Various fields in certificate, such as serial no, expiry date, subject name, etc will be indexed. This will allow faster queries based on these standard attributes.

A high performance directory server, based on the IETF LDAP standard, is used as a public repository of Certificate Revocation List (CRL), user and CA certificates. Its design is based on the RFC 2587 schema. A standard LDAP interface will be provided to native client for retrieving certificate for applications like S/MIME or SSL client authentication.

HKU Certification Authority (HKUCA), run by the HKU Computer Centre, set up public key infrastructure (PKI) to issue HKU digital certificates (HKU-Cert) from 22nd September 2000 to current HKU staff and students (HKU members).

Personal: the HKU-Cert of a HKU member serves as his digital identity for him to authenticate himself and sign electronically in using HKU Electronic Services Delivery (HKUESD) of digital signature applications.

Server: from 1st February 2002, HKUCA also issues HKU-Cert (Server) to administrators of computer servers approved by HKUCA. The server named in a HKU-Cert (Server) can use the certificate in applications employing Secure Socket Layer (SSL) encryption.

According to the University, HKUCA is not seeking Recognized CA status, as defined in the Electronic Transactions Ordinance, from the Director of Information Technology Services Department of the HK SAR Government. Therefore, HKUCA is not subject to the governing rules and regulations set out in the Electronic Transactions Ordinance.

To safeguard the integrity and trustworthiness of the CA system, three new offences were created by the Electronic Transactions Ordinance, even of which can result in fine or imprisonment if offended.

obligation of secrecy under s.46

a person who has access to any record, book, register, correspondence, information, document or other material in the course of performing a function under or for the purposes of this Ordinance shall not disclose or permit or suffer to be disclosed such record, book, register, correspondence, information, document or other material to any other person.

false information under s.47

A person who knowingly or recklessly makes, orally or in writing, signs or furnishes any declaration, return, certificate or other document or information required under this Ordinance which is untrue, inaccurate or misleading commits an offence and is liable in the case of an individual to a fine at level 6 and to imprisonment for 6 months and in any other case, to a fine at level 6.

false claim as recognised CA under s.48

A person who makes a false claim that a person is a recognized certification authority commits an offence and is liable in the case of an individual to a fine at level 6 and to imprisonment for 6 months and in any other case, to a fine at level 6.

Digi-Sign is the first private CA recognised pursuant to the Electronic Transactions Ordinance. Its recognition status was granted by the Director of Information Technology Services in July 2001 on application by Digi-Sign.

Digi-Sign was only set up in October 2000. Its services as a certification authority was prior to its recognition operated by Tradelink (full name being Tradlink Electronic Commerce Limited). Digi-Sign is therefore a spin-off and wholly-owned subsidiary of Tradelink. At the time of the recognition, Digi-Sign issues two classes of recognised digital certificate.The two classes of recognised certificates are called ID-Cert. They are issued by Digi-Sign under the Certification Practice Statement (CPS) issued by Digi-Sign.

Reference : see 'Recognition Status' page at Digi-Sign's web-site.

Like any other certification authorities, Digi-Sign publishes a CPS. It sets out the practices to register subscribers, verify the subscriber applications, manage and control the processing of digital certificate issuance, acceptance of the certificates by the subscribers, suspension and revocation of the certificate.

To download the CPS, please visit the relevant page and link at the web-site of Digi-Sign.

Director of Information Technology Services (DITS) is the authority to grant Government recognition

The Director may recognise certificates issued by a recognised authority as recognised certificates

By the HKSAR Government's policy, there is no exclusivity in CA services Number of CAs to be determined by the market. Presently, the Postmaster General is a CA statutorily recognized by the Ordinance. The Postmaster General is a recognised certification authority by virtue of the Electronic Transactions Ordinance. Digi-Sign is an example of a private recognised CA.