Disclosure Records of Recognized Certification Authorities

Disclosure Record for Digi-Sign Certification Services Limited

(This is page 38 of the disclosure record for Digi-Sign Certification Services Limited (Digi-Sign) maintained by the Commissioner for Digital Policy (CDP) under section 31(1) of the Electronic Transactions Ordinance (Cap. 553) (ETO). Click this link to go back to page 1 of the disclosure record.)

Assessment Report and Statutory Declaration in respect of the Issuance of Organizational (Remote) ID-Cert Class 15 Certificate

Digi-Sign planned to issue a new type of recognized certificate, namely Organizational (Remote) ID-Cert Class 15 certificate (ID-Cert Class 15). The issuance of this new type of recognized certificate will, among others, involve the following changes:

a) new certificate profile for ID-Cert Class 15;

b) new workflow and operational procedures for handling the application for ID-Cert Class 15 certificates submitted by direct applicants or via Remote Signing Service Providers (“RSSPs”); and

c) new application form for application of ID-Cert Class 15 certificates that appointed RSSPs as Authorized Representative and Authorized Custodian of the applicant organizations.

The CDP considered that the changes involved in the issuance of the new certificate are major changes. In this light, the CDP had, by notice given to Digi-Sign, required Digi-Sign to furnish to the CDP an assessment report and a statutory declaration pursuant to section 43A(1) of the ETO. In this connection, Digi-Sign arranged the preparation of an assessment report produced by an independent assessor as well as furnished a statutory declaration made by a responsible officer of Digi-Sign in respect of the issuance of ID-Cert Class 15 certificate.

In accordance with section 43A(3) of the ETO, the CDP must publish in the disclosure record for Digi-Sign as a recognized certification authority (CA) the dates of and the material information in the assessment report and statutory declaration. Only those parts of the report and statutory declaration containing material information are herewith published.

Assessment Report

(A) Date of the Report

• The date of the report is 22 May 2024.

(B) Material Information

Recognized CA practices

1. In the assessor's opinion, having regard to Digi-Sign's proposed issuance of Organizational (Remote) ID-Cert Class 15 certificate, in all material respects,
   1. the management assertions in respect of Digi-Sign's capability to comply with the sections of the ETO and the Code of Practice (COP) (see Note 1) set out in Appendix 3 (see Note 2) of the assessment report are reasonable. In particular, Digi-Sign is capable of:
      1. disclosing its business practices in its Certification Practice Statement(s) in accordance with the ETO and the COP and providing its services in accordance with its disclosed business practices;
      2. complying with the requirements in respect of the use of a trustworthy system to support its operations in accordance with sections 21 (4)(b), (c) and (f) and 37 of the ETO and the COP; and
      3. complying with the requirements in respect of recognition of its certificates in accordance with sections 36, 37, 39, 40, 44 and 45(1) of the ETO and the COP.
   2. no information came to the attention of the assessor during the course of the assessment that would indicate that the management assertions in respect of Digi-Sign's capability to comply with the sections of the COP set out in Appendix 4 (see Note 3) of the assessment report are not reasonable;
   3. based on the conclusions drawn in paragraphs (a) and (b) above, the management assertions in respect of Digi-Sign's capability to comply with the provisions of the ETO applicable to a recognized CA and the COP are reasonable.

2. The assessor has covered and examined the provisions of the ETO and of the COP as set out in Appendix 5 of the assessment report (see Note 4) and considers them to be explanatory material and statement of facts. The assessor confirms that these provisions would not cause any material impact to the conclusions of the assessment report.

Potential liabilities

3. In the assessor’s opinion, in all material respects, the management assertions that Digi-Sign has implemented and maintained appropriate procedures to determine and manage its potential liabilities in relation to the issuance of certificates are reasonable.

Statutory Declaration

(A) Date of the Statutory Declaration

• The date of the declaration is 27 May 2024.

(B) Material Information

• Having regard to Digi-Sign's planned issuance of ID-Cert Class 15 certificate, a responsible officer of Digi-Sign declared that Digi-Sign was capable of complying with the provisions of the ETO and the COP as specified in paragraph 2 of Appendix of Annex I of the notice from the CDP dated 26 February 2024 (see Note 5).

Notes

1. Code of Practice for Recognized Certification Authorities (version 3.1) issued under section 33 of the ETO.
2. The Appendix 3 of the assessment report is extracted as follows:

Relevant Provisions of the ETO Part VII - Recognition of CAs and certificates by CDP Sections 21(4)(b), (c) and (f) Part X - General Provisions as to Recognized CAs: Sections 36, 37, 39, 40, 44 and 45(1) Relevant Provisions of the Code of Practice General Responsibilities of a Recognized CA Paragraphs 3.1 to 3.2 inclusive, 3.4 to 3.6 inclusive and 3.8 Certification Practice Statement Paragraphs 4.1 to 4.10 inclusive and 4.12 to 4.13 inclusive Trustworthy System Paragraphs 5.1, 5.6 to 5.7 inclusive, 5.9 to 5.15 inclusive and 5.19 to 5.21 inclusive Certificates and Recognized Certificates: Paragraphs 6.1 to 6.8 inclusive and 6.10 to 6.23 inclusive. Verification of Subscriber's Identity: Paragraphs 7.1 to 7.2 inclusive Reliance Limit and Liability Cover: Paragraphs 8.1 to 8.4 inclusive. Repositories: Paragraphs 9.1, 9.3 and 9.5. Disclosure of Information: Paragraphs 10.1 to 10.3 inclusive Inter-operability: Paragraph 15.2. All paragraphs in Appendix 1 of the COP

3. The Appendix 4 of the assessment report is extracted as follows:

Relevant Provisions of the Code of Practice General Responsibilities of a Recognized CA Paragraph 3.3 Trustworthy System Paragraphs 5.16 to 5.17 inclusive. Repositories: Paragraphs 9.2 and 9.4. Disclosure of Information: Paragraphs 10.4 to 10.6 inclusive. Inter-operability Paragraph 15.1

4. The Appendix 5 of the assessment report is extracted as follows:

Relevant Provisions of the ETO Part XI - Provisions as to secrecy, disclosure and offences: Sections 46, 47 and 48. Relevant Provisions of the Code of Practice Certification Practice Statement: Paragraph 4.11 Trustworthy System Paragraphs 5.2 to 5.3 inclusive and 5.8 Certificates and recognized certificates: Paragraph 6.9.

5. Paragraph 2 of Appendix of Annex I of the notice is reproduced below for reference:

2. For the purpose of section 43A(1)(d)(i) of the ETO 2.1 A responsible officer of Digi-Sign shall make a statutory declaration which states that, having regard to Digi-Sign’s plan to issue ID-Cert Class 15 certificate, Digi-Sign is capable of complying with the following provision of the ETO. Part VII – Recognition of CAs and Certificates by the CDP: Section 21(4)(e). 2.2 A responsible officer of Digi-Sign shall make a statutory declaration which states that, having regard to Digi-Sign’s plan to issue ID-Cert Class 15 certificate, Digi-Sign is capable of complying with the following provisions of the COP. General Responsibilities of a Recognized CA: Paragraphs 3.7 and 3.9. Trustworthy System: Paragraph 5.18. Disclosure of Information: Paragraphs 10.7 to 10.9 inclusive. Consumer Protection: Paragraph 16.1.

6. The information of this disclosure record is disclosed in accordance with section 31(2) of the ETO.