PKI in Hong Kong: E-services reality

As part of an IT initiative, the Electronic Transactions Ordinance (ETO) was enacted in January 2000, giving electronic records and digital signatures the same legal status as that of paper documents.

The Hong Kong Special Administrative Region Government (HKSARG) in 1998 formulated "Digital 21 IT Strategy", an IT initiative involving the collaboration among the Government, businesses and academia to turn Hong Kong into a leading digital and e-commerce hub in Asia Pacific

As part of the initiative, the Electronic Transactions Ordinance (ETO) was enacted in January 2000, giving electronic records and digital signatures the same legal status as that of paper documents.

The Government has started to acknowledge electronic submissions from the public. Some 200 common forms are being converted to electronic forms to encourage the public to use digital signatures and attach supporting documents electronically.

The HKSAR also plans to set up a PKI framework fully supported by certification authorities (CAs). The Hongkong Post is the first recognized CA in Hong Kong, and has been providing electronic authentication services to businesses and individuals since 31 January 2000.

The private sector is also encouraged to set up CAs. CAs can apply for recognition from the Government. The Director of Information Technology Services is the authority for granting recognition to CAs and to the certificates that CAs issue.

Hongkong Post offers four types of recognized certificates - e-Cert (Personal) which is issued to individuals, e-Cert (Organisational) which is issued to employee of a company, e-Cert (Encipherment) which is issued to a company and e-Cert (Server) which is issued to a domain name. These certificates allow businesses and individuals to enjoy online commercial and entertainment services securely by providing electronic authentication and verification of identity.

A regional Validation Authority (VA) service providing online certificate status checking as well as credential, authorization level checking for commercial users is also being planned.

Hongkong Post is a member of the Advanced Electronic Services User Group (AESUG). This Group seeks to establish a universal PKI framework, which it calls the Global Postal Trust Service (GPTS), to ensure cross-border compatibility of certification and secure services. It will encompass a set of standard technical interfaces required for postal systems to interoperate, a common global architecture and a common global policy for the provision of a digital identification mechanism utilising PKI and CAs.

Hongkong Post has also signed MOUs for cross certification with overseas CAs such as ID.Safe of Singapore, DIGICERT of Malaysia, Korea Information Certificate Authority of Korea as well as ViaCode of the United Kingdom.

Local PKI Applications
One of the PKI-based applications is the Government's Electronic Tendering System (ETS), which was launched in April last year. The certificate used for ETS allows approved suppliers to submit tenders to the Government Supplies Department electronically.

The Electronic Service Delivery (ESD) scheme, launched in January this year, is another e-government initiative that allows public services to be delivered to the community via electronic means. E-services such as payment of government bills and voter registration are available, some of which require the use of an e-Cert for authentication.

The Hong Kong Exchanges and Clearing Limited's Automatic Matching System/3 uses e-Cert to authenticate investors' identities, allowing for the electronic routing of orders to designated brokers for approval and submission to the market for trade execution.

Hongkong Post is also working with local mobile phone operator New World Mobility and overseas wireless PKI solution providers Entrust and Baltimore to develop secure mobile commerce solutions.

Hewlett Packard is a major supplier of IT systems and hardware to many arms of the Hong Kong Government and the Hong Kong Post PKI project is one which HP is the prime contractor.

In addition, Hongkong Post is developing banking certificates with local banks. With the customised banking certificate, customers can safely execute normal e-Cert functions as well as Internet banking transactions. Hongkong Post launched the customised banking certificate (namely "Hongkong Post Bank-Cert") with Dah Sing Bank in February 2001 and with Hongkong Chinese Bank in March 2001.

Last year, Hongkong Post and Utimaco Safeware provided public key infrastructure (PKI) technical training to companies that uses digital certificates from CAs and other registration authorities to verify and authenticate their transactions.

Among the PKI vendors who came into the Hong Kong scene last year, Taiwan-based KeyTrend Technology opened its regional headquarters and stated its aggresive aim of grabbing as much as a fifth of the region's market for PKI technology. They also funded a research facility at City University of Hong Kong.

Another e-Cert-enabled application is Internet betting. The Hong Kong Jockey Club has been accepting e-Cert certificates for its Internet betting services since October 2000.

Speaking at the 2nd Certification Authority (CA) forum held earlier this year, Hongkong Post Electronic Services division senior manager Michael Chung said that cross-border co-operation to develop a widely recognised PKI system will enhance Asia's position as a leading Internet hub and help promote e-commerce in the region.

"It helps customers to expand their scope of business as they can conduct their business safely, conveniently and effectively using a world recognised electronic certificate, anywhere in the region".

Read more about PKI in Asia.