First published: 31st May 2009
Allan Dyer
Hong Kong's Electronic Transaction Ordinance (ETO) was enacted on 5th January 2000. It mainly aims to promote and facilitate the development of e-business in Hong Kong by providing the same legal recognition for electronic records and digital signatures as their paper-based counterparts, and establishes a voluntary framework for recognition of certification authorities (CAs) operating in Hong Kong.
However, in the nine years since the ETO was passed, digital signatures, and, in particular, digital signatures backed by recognised CAs, have not become widely-used in Hong Kong. They are not even widely used among IT professionals. Why not?
There is no simple answer, but part of the problem is that information on how to use the services is too fragmented, and, in some cases, even support hotlines are giving incomplete or incorrect information. Recently, I renewed my Hongkong Post e-Cert and the information below was gathered through phone and email exchanges with E-Mice Solutions (HK) Limited (the Operator of Hongkong Post e-Cert services), and the two service providers for the Government import/export declaration system: Global e-Trading Services Limited (Ge-TS) and Tradelink Electronic Commerce Limited.
E-Mice Solutions wrote, "Currently, our practice is to issue e-Cert to the applicant in the storage medium of either floppy disc or File Card. Additionally, applicant may choose to have a copy of e-Cert loaded into his HKID card. We believe that this practice can provide the subscribers, who come from the general public, with the flexibility of deploying the e-Cert according to their own needs. This also allows subscribers restoring their e-Cert from floppy disc or File Card when needed, addressing the danger of losing the private key holding in a single media."
"If an applicant wishes to request for the e-Cert to be delivered on his HKID card alone, he may raise such request through a signed e-mail or a signed instruction on the paper application form."
Thus, there are three options for storing an e-Cert:
| HKID card | File Card | Floppy Disc | |
|---|---|---|---|
| Hardware Standard | ISO 7816 | ISO 7816 | FAT |
| Driver | PC/SC | PC/SC | floppy |
| Public-Key Cryptography Standard (PKCS) | PKCS#11 | PKCS#12 | PKCS#12 |
| Software | e-Cert Control Manager | e-Cert File Card Utility Program | No additional software required |
| PIN length | 8 numeric digits | 16 numeric digits | 16 numeric digits |
| PIN lockout | Permanent on more than 5 consecutive incorrect PIN tries | none | none |
| Private key can be exported? | No | Yes | Yes |
The same card reader can be used with the HKID card and the File Card, though different software is needed.
The different storage methods have their own advantages and disadvantages:
Two companies provide Import / Export Declaration services: Global e-Trading Services Limited and Tradelink Electronic Commerce Limited.
Although the e-Cert and the ID-Cert follow the same technical standards, and the organisation that is ultimately accepting the declarations (the Hong Kong Government) is the same, the two service providers have apparently decided not to accept each other's certificates. Although this makes competitive sense in the short term, it hampers the development and uptake of e-commerce applications in Hong Kong.
Ultimately, by reducing the costly handling of paper, e-business provides the biggest benefit for the government. In order to realise this benefit, the government needs to maximise the convenience of the users. Allowing users to access different applications with the same certificate and the same signing method would be convenient.
