Hong Kong Certification Authority Postponed

The Hong Kong Special Administrative Region's first communitywide public certification authority (CA), originally scheduled to be launched on December 28, has been postponed due to the Legislative Council's failure to pass the Electronic Transactions Bill.

According to an executive from Hongkong Post, which is establishing the CA, the certification authority will come into operation by the end of this month.

"It has taken more time than expected to process the Bill," said Michael Chung, senior manager of the Electronic Services Division of the postal service.

Chung took over the CA project when former division director Yuk Wai Fung returned to the government Efficiency Unit a month ago at the end of his temporary duty at Hongkong Post.

The Electronic Transactions Bill is crucial to the legality of the CA, because it will make digital signatures and electronic records equivalent in legal status to handwritten signatures and paper records. In addition, the bill will formally recognize the role of Hongkong Post as a CA in the SAR.

Driven by the government, the establishment of a public CA is intended to boost electronic commerce in the territory, as it addresses common concerns about e-commerce, including issues of authenticity, integrity, confidentiality, and non-repudiation of transactions. A public CA allows participants to prove the identities of their transaction partners with digital certificates issued by a trusted third party.

Sin Chung-kai, the IT functional constituency representative in Legco who chairs the bills committee that is responsible for scrutinizing and amending the Electronic Transactions Bill, maintained that the postponement of the CA's debut was not caused by Legco's "delay" in passing the subject bill.

"The schedule given to us was too tight. We need sufficient time to review the bill. …It's better to spend more time up-front than to amend the bill later when things start to get going," Sin said.

According to Sin, the Electronic Transactions Bill has jumped the queue of other new bills, since Legco members and the government "acknowledged the importance of a fast passage of the bill" given the phenomenal growth of e-commerce. The bills committee met 10 times in six weeks from late October to the end of November last year.

"We've made efficient use of our time already. On average, it takes at least half a year to review a bill. For a more complex one, it can take as much as two years," Sin said.

Among other recommendations, the government has agreed with the suggestion proposed by the bills committee to set up an advisory committee for the Electronic Transactions Bill, which will primarily be responsible for overseeing the execution of the bill within 18 months of its passage.

Chung said that an independent consulting firm began a security assessment of the entire CA operation in November last year. The review of the security level of the systems will include ethical hacking to test their vulnerability.

Hongkong Post will continue the assessment until the official launch later this month.

Since August 1999, four application tests have been carried out on the CA's public key infrastructure. The Hong Kong Stock Exchange tested online stock trading; local systems integrator Computer and Technologies tested the government electronic tendering systems; Cable & Wireless HKT tested its secure mail services; and the Information Technology Services Department tested the government's internal certification services.

According to Chung, the four applications will not be ready when Hongkong Post's CA launches in January, but will be ready in "early 2000."

That, however, does not mean that the CA will be of no use to the public as soon as it launches.

"We can still use it for general authentication, like e-mails, digital signatures and electronic records in online communications and transactions," said Chung.

Apart from those four key test applications, Hongkong Post has also issued over 100 test certificates to organizations in the SAR for their own development and testing.

Chung revealed that the investment in the CA will total HK$50 million to $60 million (US$6.4 million to US$7.7 million) in the first two years since work on the project began early last year. He anticipates a return in five years that covers both the initial investment and recurrent expenses. Chung also expects to sell 500,000 digital certificates, called e-Certs, in the first year and even more thereafter when more applications are built on the CA infrastructure.

In a separate development, Hongkong Post will introduce an electronic courier service in February or March. The service verifies that an e-mail has not been viewed or changed by any unauthorized party. The digital postmark and time stamp embedded in the e-mail also provide valuable delivery information to both sender and recipient, Chung said.

Sidebar 1: Will you be getting your e-Cert?

Computerworld Hong Kong has learned that there will be three types of digital certificates, dubbed e-Certs, to be issued by Hongkong Post for personal, organizational and domain-name use.

For promotional purposes, e-Certs will be available this year for HK$50; after this year, the annual charge will be $150.

If required, an organization can obtain an unlimited number of e-Certs for use by its personnel. An individual e-Cert will carry the name of the person to whom it belongs.

For e-Certs used for organizations and domain names, Hongkong Post will charge an extra HK$150 administration fee for verification of their status with the Hong Kong government's Business Registration Office, InterNIC and Hong Kong Network Information Center (HKNIC), the organizations that are responsible for domain name registrations.

An e-Cert operates with a pair of encryption keys, one public and one private, each of which is 1,024 bits. The private key is kept secret, known only to the user; the other key is made public by placing it in a public directory. When a sender digitally signs a message with his or her private key, the recipient can validate the signature with the sender's public key.

-- Winnie Lai

Sidebar 2: Code of practice to guide CA activitiesThe Information Technology Services Department (ITSD) is establishing a framework for the operation of CAs. It is finalizing the "Code of Practice for Recognized Certification Authorities," which outlines "the general responsibilities of the CAs and the standards and procedures for their operation."

Although the government has stated that there will not be any compulsory licensing requirements for CAs operating in Hong Kong, a voluntary recognition scheme for CAs will be put in place to protect consumers' interests. The director of ITSD will be the authority for granting government recognition to CAs. Failure of recognized CAs to comply with the requirements of the Code of Practice may result in suspension or revocation of the recognition granted.

According to an ITSD spokesman, the contents of the Code of Practice will be confirmed early this month. More details can be found at www.info.gov.hk/itsd/paper.

-- Winnie Lai

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

More about Cable & WirelessCERT AustraliaHKTITSDWireless HKT

Show Comments