- Powered by Yip Tse & Tang, Solicitors & Notaries 葉謝鄧律師行

Hongkong Post's new root certificateadmitted to Microsoft Root Certificate Program

Hongkong Post's new root certificate ("Hongkong Post Root CA 1") was admitted to the Microsoft Root Certificate Program

Starting from April 2004, Hongkong Post's new root certificate ("Hongkong Post Root CA 1") was admitted to the Microsoft Root Certificate Program, in addition to the old root certificate ("Hongkong Post Root CA") which had already been admitted in July 2003. The program aims at protecting Microsoft customers from security issues related to the use of public key infrastructure (PKI) certificates. This means that Internet Explorer and Outlook Express users of Windows XP and Windows 2003 will now trust certificates issued by Hongkong Post under the two root certificates.

Users on platforms before Windows XP can also pick up and install the two Hongkong Post root certificates to their operating systems when they perform the Windows Update at URL, Please note that Root Certificate Update is not a critical update and users need to explicitly click-open the optional Windows 98/ME/NT/2000 Update list to include the Root Certificate Update.

The admission of Hongkong Post to the Microsoft Root Certificate Program is a solid proof of the trustworthiness of the Hongkong Post CA System and e-Cert.

Concept of Public Key Infrastructure (PKI)

PKI covers the use of public key cryptography for authentication and access control of a user, guaranteeing the integrity and non-repudiation of documents signed by the user, and confidentiality of data.
PKI employs a pair of keys for each user: a private key which is known only to the user himself, and a public key which is published by some authority, in the form of a digital certificate (certificate for short).

In signing a document or an e-mail, a user signs using his own private key so that others can use the signer's public key to verify the authenticity and non-repudiation of documents or e-mail. Since only the user has his own private key to sign, non-repudiation is established.

Before sending an encrypted e-mail to a receiver, the sender installs the receiver's certificate in the sender's e-mail program which supports the use of PKI technologies. The program can, on the sender's instruction, encrypt an e-mail using the receiver's public key. The receiver, on receiving the encrypted mail, can use his private key to decrypt the mail. Since only the receiver has his own private key, the encrypted mail will only be readable by him. Others, even if they can get hold of a copy of the encrypted mail over the network, would not be able to read the encrypted mail as they do not have the receiver's private key to decrypt the mail. The use of PKI saves the trouble of maintaining and distributing the same encryption/decryption key between the sender and the receiver.

The e-mail program Netscape Messenger v4.7x supports the signing and encryption of e-mail using 1024-bit RSA keys and certificates.

By using strong public key cryptographic algorithms, such as 1024-bit RSA keys which the HKU CA and Hongkong Post are employing, it is practically impossible for anyone to crack the private key from the public key within the life-time of a private key.

HKU Certification Authority (HKUCA)

HKU Certification Authority (HKUCA), run by the HKU Computer Centre, set up public key infrastructure (PKI) to issue HKU digital certificates (HKU-Cert) from 22nd September 2000 to current HKU staff and students (HKU members).

Personal: the HKU-Cert of a HKU member serves as his digital identity for him to authenticate himself and sign electronically in using HKU Electronic Services Delivery (HKUESD) of digital signature applications.

Server: from 1st February 2002, HKUCA also issues HKU-Cert (Server) to administrators of computer servers approved by HKUCA. The server named in a HKU-Cert (Server) can use the certificate in applications employing Secure Socket Layer (SSL) encryption.

According to the University, HKUCA is not seeking Recognized CA status, as defined in the Electronic Transactions Ordinance, from the Director of Information Technology Services Department of the HK SAR Government. Therefore, HKUCA is not subject to the governing rules and regulations set out in the Electronic Transactions Ordinance.

Legal Framework under Electronic Transactions Ordinance (Cap.553)

The Electronic Transactions Ordinance was passed into laws on 7th January 2000 as part of the major works of the HKSAR Government to promote the cause of electronic commerce, including the delivery of public services through the electronic channel.

  • provides legal status to electronic records and digital signatures in the conduct of electronic transactions as that of their paper-based counterparts; and

  • The development of secure e-business framework is one of the main tasks of the Digital 21 IT Strategy of the Hong Kong Government. The Government has adopted the use of the Public Key Infrastructure (PKI) as being the technological framework for the furtherance of secured trading on the electronic framework.
  • The passage of the Electronic Transactions Ordinance (ETO) has made this become possible as legal recognition is given to the status of the PKI as a certification technology. The ETO is basically modelled upon the United Nations Commission on International Trade Law Model Law on E-commerce (UNCITRAL MODEL LAW ON E-COMMERCE). The ETO provides that digital signatures (as defined by the ETO) and electronic records have the same legal status as that of their paper-based counterparts.

    The ETO has at the same time given a legal framework for the establishment of recognised Certification Authority (RCA) to support the conduct of secure electronic transactions. By virtue of the ETO, the Postmaster General is an RCA of Hong Kong and has since its set up begun to accept applications for grant of digital certificates to citizens and organisations in Hong Kong. The certificate is generally known as 'e-Cert'.

    Reference Web-site:

    How the Security Issues in E-Commerce are tackled?

    The security issues in e-commerce are resolved by the setting up of the Public Key Infrastructure (PKI) supported by a legal framework through legislations on its effect and meaning.

    With regard to the so-called brick and mortal traditional commerce, transactions are paper-based. Papers such as quotation, purchase order, contracts, invoices, cheques and receipts are used. The papers serve evidential and communication purposes between the parties. As to security measures adopted in traditional commerce, it is done by use of signature and countersignature. The persons signing the documents are identified to be the parties involved in the transaction.

    However, electronic transactions are carried out differently. If you ordered a book online through a web-site, orders and receipts are made electronically and through electronic communication such as emails. To authenticate a person's identity, web-sites do so by supply of personal data, credit card data and registration. Registration will give you a user account and password enabling you to be identified by the web-site who you are. However, the authentication is not done by a means enjoying trust, it is not a reasonably reliable way to authenticate a person's identity. That is why digital signature and certification authority are promoted.

    E-Commerce Trend

    Many trades and industries have in the past benefited from the use of electronic transactions or trading without the Internet. This similarly happens in Hong Kong. The EDI (electronic data interchange which has been moderated and promoted by Tradelink in Hong Kong's situation), electronic banking through public telephone and private ATM network and credit card transactions are the most obvious and prominent examples. The associated networks are costly and by nature a private network and hence their communications protocols are proprietary.

    The welcoming trend of the use of the Internet as an alternative which carries little cost and wide openness has caused a lot of security concerns, name on authentication of the parties, on preserving message or data integrity made during communications. The most widely accepted technology presently is the Public Key Infrastructure (PKI) . The use of PKI as a security safeguard is at the same time reinforced by the availability of an trusted third party (TPP), namely certification authorities. Hong Kong has given effect to the Electronic Transactions Ordinance, which is expected to govern transactions adopting the electronic channels as a means of communications.

    Hongkong Post and Guangdong Electronic Certification Authority cooperate on Cross Certification Arrangement

    Hongkong Post today (March 20) announced an arrangement to step up the cooperation between Hongkong Post Certification Authority and Guangdong Electronic Certification Authority in the area of cross certification.

    Mr Luk Ping-chuen, the Postmaster General, signed a "Cross Certification Cooperation Arrangement" with Mr Sun Xiaohe, Vice President of the Guangdong Electronic Certification Authority Ltd today in Guangzhou. The two parties will explore the establishment of a reliable and seamless cross-certification system between the two Certification Authorities in Hong Kong and Guangdong. In addition, they will explore joint procurement and development of open PKI based applications to facilitate secure transactions over the Internet. This collaboration signifies Hongkong Post's initiative in promoting closer ties with the certification authorities in the Mainland and in fostering e-commerce activities between Hong Kong and Guangdong.

    Mr Luk said, "We are delighted to be able to establish closer cooperation relationship with Guangdong Electronic Certification Authority. Such cooperation will enhance both parties' positioning as major leading Internet hub in South China and help promote e-commerce in the region."

    Mr Luk added, "Hongkong Post will continue to explore opportunities to enlist more partners to promote cross-certification co-operation in order to promote the use of digital certificate around the world."

    The ceremony was witnessed by Ms Adeline Wong, Principal Assistant Secretary, Information Technology and Broadcasting Bureau of the Hong Kong Special Administrative Region Government and Mr Xu Zhibiao, Director of Guangdong Information Industry Department.

    Hongkong Post is the first public certification authority in Hong Kong recognised under the Electronic Transactions Ordinance enacted in January 2000. The digital certificates issued by Hongkong Post, officially known as the e-Cert, allows people to authenticate the identity of digital certificate holders on the Internet. Hongkong Post e-Certs play an integral part of the new Smart ID Card replacement exercise scheduled to commence in mid-2003. Under this Scheme, each of the 6.8 million smart ID cardholders will be offered an option to embed a Hongkong Post e-Cert on their Smart ID Cards. With all these efforts, the Hongkong Post Certification Authority services will continue to provide a solid infrastructure and foster a secure and trusted e-commerce environment in the region.