What's New

Disclosure Records of Recognized Certification Authorities

Disclosure Record for Digi-Sign Certification Services Limited

(This is page 3 of the disclosure record for Digi-Sign Certification Services Limited ("Digi-Sign") maintained by the Commissioner for Digital Policy under section 31(1) of the Electronic Transactions Ordinance (Cap. 553) ("Ordinance"). Click this link to go back to page 1 of the disclosure record.)

Assessment Report in relation to the Provision of Subscriber Key Generation

Digi-Sign intended to introduce a change to its operation to allow an ID-Cert subscriber to generate keys within the subscriber's own premises and using the subscriber's hardware-based key generation module under its own control. In accordance with section 5.6 of the Code of Practice for Recognized Certification Authorities ("Code of Practice"), a recognized certification authority shall perform structured assessments to ascertain the underlying risks of its operations. In this connection, Digi-Sign had arranged the preparation of an assessment report produced by an independent assessor in respect of its intended provision of subscriber key generation.

Extracts from the assessment report are herewith published pursuant to section 31(2) of the Ordinance.

A. Date of the Report

  • The date of the report is 26 June 2002.

B. Material Information

  1. The objective of the assessment was for the assessor to review the proposed procedures to be established by Digi-Sign in relation to allowing keys to be generated by subscribers, and to express a conclusion as to whether the procedures, when established, will enable Digi-Sign to continue to be capable of complying, in all material respects, with the requirements in the Ordinance and the Code of Practice, specifically in relation to the use of a trustworthy system for the subscriber key generation process, and at the point in time when the keys are generated.
  2. In the assessor's opinion, the procedures proposed to be established by Digi-Sign will enable Digi-Sign to continue to be capable of complying, in all material respects, with the requirements in the Ordinance and Code of Practice, specifically in relation to the use of a trustworthy system for the subscriber key generation process, and at the point in time when the keys are generated.