@eLaw.com.hk 葉謝鄧律師行

In accordance with section 33 of the Electronic Transactions Ordinance, the Director of Information Technology Services (the Director) may issue a code of practice specifying standards and procedures for carrying out the functions of recognized certification authorities.

The Code of Practice for Recognized Certification Authorities published in January 2000.

Supplementary Note to the Code of Practice for Recognized Certification Authorities on 28 March 2001.

The validity period for recognition of a CA will normally be two years. The recognized CA may apply to the Director for renewal of the recognition. In accordance with section 27(2) of the Ordinance, an application for renewal must be made at least 30 days before but not earlier than 60 days before the expiry of the period of validity of the recognition.

S.20(3)(b) states that a CA applying for recognition must furnish to the Director a report containing an assessment as to whether the CA is capable of complying with provisions of the Ordinance applicable to a recognized CA and the Code of Practice.

The report shall be prepared by a person acceptable to the Director as being qualified to give such a report. Qualifications of the person are set out in section 12 of the Code of Practice.

Recognition shall only be granted to those CAs that have achieved a standard acceptable to the Government. Section 21(4) of the Ordinance states that in determining whether the applicant is suitable for recognition, the Director shall, in addition to any other matter the Director considers relevant, take into account the following :

1. whether the applicant has the appropriate financial status for operating as a recognized CA in accordance with the Ordinance and the Code of Practice;

2. the arrangements put in place or proposed to be put in place by the applicant to cover any liability that may arise from its activities relevant for the purposes of the Ordinance;

3. the system, procedure, security arrangements and standards used or proposed to be used by the applicant to issue certificates to subscribers;

4. the report, referred to in section 20(3)(b) of the Ordinance, which contains an assessment as to whether the applicant is capable of complying with provisions of the Ordinance applicable to a recognized CA and the Code of Practice;

5. whether the applicant and its responsible officers are fit and proper persons; and the reliance limits set or proposed to be set by the applicant for its certificates.

s.20 (1) of the Ordinance, certification authorities (CAs) may seek recognition from the Director of Information Technology Services (the Director). On application by a CA, the Director may grant recognition under the Ordinance to the CA and/or to all certificates, or a particular type, class or description of certificates or a particular certificate issued or to be issued by the CA.

The recognition scheme for Certification Authorities (CA) is entirely voluntary to CA. A CA can carry on the business as a CA without getting a recognition status. For instance, Tradelink has been practising as a CA since 1997. In some countries like Malaysia, CA must be licensed by the Government and persons carrying on CA business without a licence is an offence in law.

The benefit of having a recognition status is a recognised CA can have the benefits of the protections given by the Ordinance regarding its liabilities. Besides, a recognised digital signature generated by a recognised CA can have the legal status of a manual signature. Government services obtained under the ESD Scheme requires the use of digital signature given by a recognised CA for the purpose of authenticating the individual's or organisation's identity and to bind their legal commitment.

The recognition scheme is monitored and serviced by the Director of Information Technology Service (DITS) through the Recognition Office of its department.

Digi-Sign Certification Services Limited(Digi-Sign) announced today the cooperation with Guangdong Electronic Certification Authority (GDCA) on the "Unified-Cert" service, which makes it possible for residents based in Mainland China to procure both the Digi-Sign ID-Cert and the digital certificate of GDCA in one single application. The new service is expected to bring the level of online transactions between the two places to a new height.

Digi-Sign Certification Services Limited is a wholly-owned subsidiary of Tradelink. It is the first private Certification Authority recognized by the Hong Kong SAR Government under the Electronic Transactions Ordinance. Branded ID-Cert, the digital certificates issued by Digi-Sign can be used to authenticate a wide range of trade transactions online including government transactions, internet banking, legal document service, online stock trading, online betting service, etc. So far, over 170,000 ID-Certs have been issued.

Guangdong CA, established in 2000, is the certification authority approved by the Guangdong provincial government. The Guangdong CA digital certificate, about 180,000 have been issued so far, has been widely adopted as a trusted and secure solution for online applications such as tax submission, trade declarations, electronic tendering and purchasing as well as several major e-government development projects.

Justin Yue, Chairman of Digi-Sign, said, "The cooperation between GDCA and Digi-Sign has expanded the scope of the use of digital certificates. Customers in Hong Kong and Guangdong can now benefit from a trusted and secure solution to conduct online transactions. At the same time, it also promotes further the facilitation of trade and the development of e-commerce between the two places."

Mr. Yin Guan Xin, director of GDCA, said, "Both Hong Kong and Guangdong have established their respective Electronic Transaction Ordinance (ETO), which provides a legal framework enabling electronic records and digital signatures to enjoy legal recognitions similar to their paper-based counterparts. This legal framework will also act as a common platform for further cooperation between GDCA and Digi-Sign. The joint "Unified-Cert" service, which brings to customers a convenient and reliable authentication service, will certainly leads to an increase of online activities between Hong Kong and Guangdong."

Customers who are Mainland residents in possession of valid travel documents to Hong Kong or Hong Kong Identity Card holders are eligible to apply the "Unified-Cert" with a validity of 2 years. For details, please visit the websites of Digi-Sign (www.dg-sign.com) or GDCA (www.cnca.net).

The Director of Information Technology Services (the Director), Mr Alan Wong Chi-kong, today (April 29) granted recognition to HiTRUST.COM (HK) Incorporated Limited (HiTRUST) and Joint Electronic Teller Services Limited (JETCO) as recognized certification authorities under the Electronic Transactions Ordinance (Cap. 553).

To foster the development of electronic commerce in Hong Kong, the Government has taken the initiative under the "Digital 21" Information Technology Strategy to provide a secure environment for the conduct of electronic transactions by members of the public.

As part of this initiative, the Government has established the voluntary recognition scheme for certification authorities under the Electronic Transactions Ordinance.

A certification authority issues digital certificates to subscribers, allowing them to conduct electronic transactions with other parties in a secure manner.

"The Government encourages the private sector to provide services as certification authorities. To keep regulatory control to the minimum, there is no mandatory licensing requirement for certification authorities to operate in Hong Kong. Instead, certification authorities may apply to the Director for recognition under the voluntary recognition scheme," said a spokesman for the Information Technology Services Department (ITSD).

Being a recognized certification authority will enhance public confidence in using the service of the certification authority, because the Director will only grant recognition to a certification authority which has reached a trustworthy standard acceptable to the Government.

With recognition granted by the Director to HiTRUST and JETCO, there are now four recognized certification authorities operating in Hong Kong.

The other two recognized certification authorities are Digi-Sign Certification Services Limited that was granted recognition by the Director in July 2001, and the Postmaster General who is a recognized certification authority as provided under the Electronic Transactions Ordinance. The Postmaster General started operation of the Hongkong Post Certification Authority in January 2000.

"It is encouraging to see that there are now multiple recognized certification authorities operating in Hong Kong, providing the public with more choices. It demonstrates business interests and opportunities in the local market in respect of the provision of certification authority services that will facilitate and drive the public to conduct more electronic transactions in a secure manner," the spokesman added.

Under the voluntary recognition scheme, the Director may also grant recognition on application to digital certificates issued by a recognized certification authority. The Director has granted recognition to two types of digital certificate that HiTRUST will issue to individuals and organisations, and to one type of digital certificate that JETCO will issue to individuals.

More details of the voluntary recognition scheme are available on the web site of ITSD (http://www.itsd.gov.hk/itsd/caro/ecaro.htm).

Under the Electronic Transactions Ordinance, the Director needs to maintain a disclosure record for each recognized certification authority. The disclosure records for HiTRUST and JETCO are also available on the ITSD web site.

End/Monday, April 29, 2002

The Hong Kong Information Technology Services Department ('ITSD') has granted recognition to HiTRUST.COM (HK) Incorporated Limited ('HiTRUST') as a Recognized Certification Authority ('RCA') under the Electronic Transactions Ordinance (Cap. 553) ('ETO').

Various types of digital certificate services are currently being offered by HiTRUST, ranging from server certificate for SSL secure web site, individual certificates for secure messaging, to device certificate deploying on mobile phone or cable modem.

According to the regulation set in the ETO, only the digital signatures generated by using RCA's digital certificate are regarded as statutory signatures and subsequently under the protection of the ETO.

Being a RCA, according to the voluntary recognition scheme for certification authorities under the ETO, it is regarded to be qualified in protecting consumers' interests and in general enhance public confidence in electronic transactions.

Aspects concerned are Certificate Practice Statement, certificate generation and issuance procedures, liability and insurance coverage, disaster restoring plan, information security, facilities security, personnel security and corporate financial viability, etc.

Under the ETO, ITSD needs to maintain a disclosure record for each recognized certification authority. The disclosure records for HiTRUST can be found on the ITSD web site at https://secure1.info.gov.hk/itsd/english/caro/esub43.htm.

Hongkong Post today (March 20) announced an arrangement to step up the cooperation between Hongkong Post Certification Authority and Guangdong Electronic Certification Authority in the area of cross certification.

Mr Luk Ping-chuen, the Postmaster General, signed a "Cross Certification Cooperation Arrangement" with Mr Sun Xiaohe, Vice President of the Guangdong Electronic Certification Authority Ltd today in Guangzhou. The two parties will explore the establishment of a reliable and seamless cross-certification system between the two Certification Authorities in Hong Kong and Guangdong. In addition, they will explore joint procurement and development of open PKI based applications to facilitate secure transactions over the Internet. This collaboration signifies Hongkong Post's initiative in promoting closer ties with the certification authorities in the Mainland and in fostering e-commerce activities between Hong Kong and Guangdong.

Mr Luk said, "We are delighted to be able to establish closer cooperation relationship with Guangdong Electronic Certification Authority. Such cooperation will enhance both parties' positioning as major leading Internet hub in South China and help promote e-commerce in the region."

Mr Luk added, "Hongkong Post will continue to explore opportunities to enlist more partners to promote cross-certification co-operation in order to promote the use of digital certificate around the world."

The ceremony was witnessed by Ms Adeline Wong, Principal Assistant Secretary, Information Technology and Broadcasting Bureau of the Hong Kong Special Administrative Region Government and Mr Xu Zhibiao, Director of Guangdong Information Industry Department.

Hongkong Post is the first public certification authority in Hong Kong recognised under the Electronic Transactions Ordinance enacted in January 2000. The digital certificates issued by Hongkong Post, officially known as the e-Cert, allows people to authenticate the identity of digital certificate holders on the Internet. Hongkong Post e-Certs play an integral part of the new Smart ID Card replacement exercise scheduled to commence in mid-2003. Under this Scheme, each of the 6.8 million smart ID cardholders will be offered an option to embed a Hongkong Post e-Cert on their Smart ID Cards. With all these efforts, the Hongkong Post Certification Authority services will continue to provide a solid infrastructure and foster a secure and trusted e-commerce environment in the region.