- Powered by Yip Tse & Tang, Solicitors & Notaries 葉謝鄧律師行

Hongkong Post's new root certificateadmitted to Microsoft Root Certificate Program

Hongkong Post's new root certificate ("Hongkong Post Root CA 1") was admitted to the Microsoft Root Certificate Program

Starting from April 2004, Hongkong Post's new root certificate ("Hongkong Post Root CA 1") was admitted to the Microsoft Root Certificate Program, in addition to the old root certificate ("Hongkong Post Root CA") which had already been admitted in July 2003. The program aims at protecting Microsoft customers from security issues related to the use of public key infrastructure (PKI) certificates. This means that Internet Explorer and Outlook Express users of Windows XP and Windows 2003 will now trust certificates issued by Hongkong Post under the two root certificates.

Users on platforms before Windows XP can also pick up and install the two Hongkong Post root certificates to their operating systems when they perform the Windows Update at URL, Please note that Root Certificate Update is not a critical update and users need to explicitly click-open the optional Windows 98/ME/NT/2000 Update list to include the Root Certificate Update.

The admission of Hongkong Post to the Microsoft Root Certificate Program is a solid proof of the trustworthiness of the Hongkong Post CA System and e-Cert.

Disclosure Records of Recognized Certification Authorities

In accordance with section 31(1) of the Electronic Transactions Ordinance (Cap. 553) (the Ordinance), the Director of Information Technology Services must maintain for each recognized certification authority (CA) an on-line and publicly accessible record.

As at today, the following disclosure recrords are found on the following links:

1. Disclosure Record for Digi-Sign Certification Services Limited

2. Disclosure Record for HiTRUST.COM (HK) Incorporated Limited

3. Disclosure Record for the Postmaster General

Disclosure Record for Other Recognized CA

Currently, there is no other CA who is recognized under the Ordinance. Therefore, the above 3 CAs are the only recognised CA as at 23rd June 2004.

Archive of Disclosure Record for CA Whose Recognition Has Been Revoked

1. Disclosure Record for Joint Electronic Teller Services Limited

HiTRUST.COM (HK) Incorporated Limited


HiTRUST was incorporated in Hong Kong in August 2000. It is a joint venture of HiTRUST Incorporated and the New World Group.

Being a Recognized Certificate Authority certified by Hong Kong government as well as a VeriSign International Affiliate, HiTRUST.COM (HK) is specialized in the provision of managed digital certificate services to help enterprises sharpen its competence in the trust e-commerce world.

HiTRUST Incorporated

Founded in March 1998, HiTRUST's core business is the provision of solutions for secure eCommerce. In April 2000, HiTRUST.COM Incorporated was officially established with capital of about US$100 million. The major shareholders include Acer Group, HSBC, New World Group, AIG and VeriSign. The continuous growth of HiTRUST has been achieved through an unrivalled commitment to, and focus on, commercially successful, secure eCommerce.

Targeting the Greater China region, HiTRUST has been successfully providing leading-edge, trusted total solutions and customized, high added-value services including Commerce Content, eBusiness Operation, ePayment & eBilling, Financial Services Software, Application Server and eCommerce Security to the region's corporations, telecommunication companies, financial institutions and service providers.

HiTRUST's success depends on its product offerings and reputation for value and trust in the secure eCommerce industry. Early on, HiTRUST identified the opportunities developing in the region and has expanded its business operation into Taiwan, Hong Kong, Shanghai and Beijing, by opening its branch offices and strategic investment in eCommerce related businesses. In the future, HiTRUST will continuously offer industry-leading technologies and services to customers in the Greater China region and its brand will remain at the head of the region's secure eCommerce industry.


The conditions on using a digital certificate will deal with the liability of the certificate owner and the CA. The following is taken from the Certificate Practice Statement (CPS) of CA of the University of Science and Technology and are quoted here as an example:

Liability of Certificate Owner

Without limiting other certificate owner obligations stated in the CPS, certificate owners are liable for any mis-representation they make in certificates to third parties that, reasonably rely on the representations contained therein.

Liability of HKUST CA


· Does not warrant the accuracy, authenticity, completeness or fitness of any unverified information contained in certificates or otherwise compiled, published, or disseminated by or on behalf of HKUST CA.

· Shall not incur liability for representations of information contained in a certificate, provided the certificate content substantially complies with the CPS.

· Does not warrant "non-repudiation" of any certificate or message (because non-repudiation is determined exclusively by law and the applicable dispute resolution mechanism).

Certificate Repository

Certificate Internal Database is a database to keep track of the pending certificate request, issued or revoked certificate, private Certificate Revocation List (CRL), etc. Only RA and CA have the rights to update this database. A web user interface will be provided for users to query the status of their certificate requests and any issued or revoked certificate. Various fields in certificate, such as serial no, expiry date, subject name, etc will be indexed. This will allow faster queries based on these standard attributes.

A high performance directory server, based on the IETF LDAP standard, is used as a public repository of Certificate Revocation List (CRL), user and CA certificates. Its design is based on the RFC 2587 schema. A standard LDAP interface will be provided to native client for retrieving certificate for applications like S/MIME or SSL client authentication.

HKU Certification Authority (HKUCA)

HKU Certification Authority (HKUCA), run by the HKU Computer Centre, set up public key infrastructure (PKI) to issue HKU digital certificates (HKU-Cert) from 22nd September 2000 to current HKU staff and students (HKU members).

Personal: the HKU-Cert of a HKU member serves as his digital identity for him to authenticate himself and sign electronically in using HKU Electronic Services Delivery (HKUESD) of digital signature applications.

Server: from 1st February 2002, HKUCA also issues HKU-Cert (Server) to administrators of computer servers approved by HKUCA. The server named in a HKU-Cert (Server) can use the certificate in applications employing Secure Socket Layer (SSL) encryption.

According to the University, HKUCA is not seeking Recognized CA status, as defined in the Electronic Transactions Ordinance, from the Director of Information Technology Services Department of the HK SAR Government. Therefore, HKUCA is not subject to the governing rules and regulations set out in the Electronic Transactions Ordinance.

New Offences under ETO

To safeguard the integrity and trustworthiness of the CA system, three new offences were created by the Electronic Transactions Ordinance, even of which can result in fine or imprisonment if offended.

obligation of secrecy under s.46

a person who has access to any record, book, register, correspondence, information, document or other material in the course of performing a function under or for the purposes of this Ordinance shall not disclose or permit or suffer to be disclosed such record, book, register, correspondence, information, document or other material to any other person.

false information under s.47

A person who knowingly or recklessly makes, orally or in writing, signs or furnishes any declaration, return, certificate or other document or information required under this Ordinance which is untrue, inaccurate or misleading commits an offence and is liable in the case of an individual to a fine at level 6 and to imprisonment for 6 months and in any other case, to a fine at level 6.

false claim as recognised CA under s.48

A person who makes a false claim that a person is a recognized certification authority commits an offence and is liable in the case of an individual to a fine at level 6 and to imprisonment for 6 months and in any other case, to a fine at level 6.

Digi-Sign Certification Services Limited (Digi-Sign)

Digi-Sign is the first private CA recognised pursuant to the Electronic Transactions Ordinance. Its recognition status was granted by the Director of Information Technology Services in July 2001 on application by Digi-Sign.

Digi-Sign was only set up in October 2000. Its services as a certification authority was prior to its recognition operated by Tradelink (full name being Tradlink Electronic Commerce Limited). Digi-Sign is therefore a spin-off and wholly-owned subsidiary of Tradelink. At the time of the recognition, Digi-Sign issues two classes of recognised digital certificate.The two classes of recognised certificates are called ID-Cert. They are issued by Digi-Sign under the Certification Practice Statement (CPS) issued by Digi-Sign.

  • Personal ID-Cert Class 1 and
  • Organizational ID-Cert Class 2
  • Reference : see 'Recognition Status' page at Digi-Sign's web-site.

    Like any other certification authorities, Digi-Sign publishes a CPS. It sets out the practices to register subscribers, verify the subscriber applications, manage and control the processing of digital certificate issuance, acceptance of the certificates by the subscribers, suspension and revocation of the certificate.

    To download the CPS, please visit the relevant page and link at the web-site of Digi-Sign.

    Number of CAs and Recognition

    By the HKSAR Government's policy, there is no exclusivity in CA services Number of CAs to be determined by the market. Presently, the Postmaster General is a CA statutorily recognized by the Ordinance. The Postmaster General is a recognised certification authority by virtue of the Electronic Transactions Ordinance. Digi-Sign is an example of a private recognised CA.

    Recognised CA's Code of Practice

    In accordance with section 33 of the Electronic Transactions Ordinance, the Director of Information Technology Services (the Director) may issue a code of practice specifying standards and procedures for carrying out the functions of recognized certification authorities.

    The Code of Practice for Recognized Certification Authorities published in January 2000.

    Supplementary Note to the Code of Practice for Recognized Certification Authorities on 28 March 2001.

    Period of recognition of CA

    The validity period for recognition of a CA will normally be two years. The recognized CA may apply to the Director for renewal of the recognition. In accordance with section 27(2) of the Ordinance, an application for renewal must be made at least 30 days before but not earlier than 60 days before the expiry of the period of validity of the recognition.

    Assessment Report on CA

    S.20(3)(b) states that a CA applying for recognition must furnish to the Director a report containing an assessment as to whether the CA is capable of complying with provisions of the Ordinance applicable to a recognized CA and the Code of Practice.

    The report shall be prepared by a person acceptable to the Director as being qualified to give such a report. Qualifications of the person are set out in section 12 of the Code of Practice.

    Basis of CA's Recognition

    Recognition shall only be granted to those CAs that have achieved a standard acceptable to the Government. Section 21(4) of the Ordinance states that in determining whether the applicant is suitable for recognition, the Director shall, in addition to any other matter the Director considers relevant, take into account the following :

    1. whether the applicant has the appropriate financial status for operating as a recognized CA in accordance with the Ordinance and the Code of Practice;

    2. the arrangements put in place or proposed to be put in place by the applicant to cover any liability that may arise from its activities relevant for the purposes of the Ordinance;

    3. the system, procedure, security arrangements and standards used or proposed to be used by the applicant to issue certificates to subscribers;

    4. the report, referred to in section 20(3)(b) of the Ordinance, which contains an assessment as to whether the applicant is capable of complying with provisions of the Ordinance applicable to a recognized CA and the Code of Practice;

    5. whether the applicant and its responsible officers are fit and proper persons; and the reliance limits set or proposed to be set by the applicant for its certificates.

    The CA Recognition Scheme

    s.20 (1) of the Ordinance, certification authorities (CAs) may seek recognition from the Director of Information Technology Services (the Director). On application by a CA, the Director may grant recognition under the Ordinance to the CA and/or to all certificates, or a particular type, class or description of certificates or a particular certificate issued or to be issued by the CA.