First published: 31st May 2009
Hong Kong's Electronic Transaction Ordinance (ETO) was enacted on 5th January 2000. It mainly aims to promote and facilitate the development of e-business in Hong Kong by providing the same legal recognition for electronic records and digital signatures as their paper-based counterparts, and establishes a voluntary framework for recognition of certification authorities (CAs) operating in Hong Kong.
However, in the nine years since the ETO was passed, digital signatures, and, in particular, digital signatures backed by recognised CAs, have not become widely-used in Hong Kong. They are not even widely used among IT professionals. Why not?
There is no simple answer, but part of the problem is that information on how to use the services is too fragmented, and, in some cases, even support hotlines are giving incomplete or incorrect information. Recently, I renewed my Hongkong Post e-Cert and the information below was gathered through phone and email exchanges with E-Mice Solutions (HK) Limited (the Operator of Hongkong Post e-Cert services), and the two service providers for the Government import/export declaration system: Global e-Trading Services Limited (Ge-TS) and Tradelink Electronic Commerce Limited.
e-Cert Storage Options
E-Mice Solutions wrote, "Currently, our practice is to issue e-Cert to the applicant in the storage medium of either floppy disc or File Card. Additionally, applicant may choose to have a copy of e-Cert loaded into his HKID card. We believe that this practice can provide the subscribers, who come from the general public, with the flexibility of deploying the e-Cert according to their own needs. This also allows subscribers restoring their e-Cert from floppy
disc or File Card when needed, addressing the danger of losing the private key holding in a single media."
"If an applicant wishes to request for the e-Cert to be delivered on his HKID card alone, he may raise such request through a signed e-mail or a signed instruction on the paper application form."
Thus, there are three options for storing an e-Cert:
| ||HKID card||File Card||Floppy Disc
|Hardware Standard||ISO 7816||ISO 7816||FAT|
|Public-Key Cryptography Standard (PKCS)||PKCS#11||PKCS#12||PKCS#12|
|Software||e-Cert Control Manager||e-Cert File Card Utility Program||No additional software required|
|PIN length||8 numeric digits||16 numeric digits||16 numeric digits|
|PIN lockout||Permanent on more than 5 consecutive incorrect PIN tries||none||none|
|Private key can be exported?||No||Yes||Yes|
The same card reader can be used with the HKID card and the File Card, though different software is needed.
The different storage methods have their own advantages and disadvantages:
- If you want the best confidentiality of your private key: Use your HKID card alone. The private key is stored only on the card, and cannot be exported. If your card is lost, an attacker has five chances to guess your eight-digit PIN before access to the e-Cert is blocked.
- If you are concerned that you may loose access to encrypted files: Use a file card or floppy. You can backup the PKCS#12 file in multiple locations to protect against loss.
- If you are not using Windows: Use a floppy, the e-Cert Control Manager and e-Cert File Card Utility programs are only available for Microsoft operating systems.
- If your PC has no floppy drive: Use a file card or your HKID card.
Import / Export Declarations
Two companies provide Import / Export Declaration services: Global e-Trading Services Limited and Tradelink Electronic Commerce Limited.
- Global e-Trading Services Limited is a service partner of Hongkong Post, and accepts the Hongkong Post e-Cert for signing declarations. However, their application does not support an e-Cert stored on a HKID card.
- Tradelink Electronic Commerce Limited accepts the ID-Cert issued by Digi-Sign Certification Services Limited and does not accept the Hongkong Post e-Cert for signing declarations. Digi-Sign is a wholly-owned subsidiary of Tradelink.
Although the e-Cert and the ID-Cert follow the same technical standards, and the organisation that is ultimately accepting the declarations (the Hong Kong Government) is the same, the two service providers have apparently decided not to accept each other's certificates. Although this makes competitive sense in the short term, it hampers the development and uptake of e-commerce applications in Hong Kong.
- CA's and Service Providers should make relevant technical information easy to find, and ensure their support hotlines provide accurate information and can answer technical questions. Leaving out the technical details does not make the information more friendly to the general public, it simply makes it useless to more experienced users.
- The Government should encourage more cooperation between the commercial companies involved, for example, by requiring all service providers for e-Government applications to accept certificates issued by all the Government-Recognised CAs.
- Service Providers should support signing by PKCS#11 and PKCS#12 certificates. Is there a valid technical reason why you can sign your tax return by e-Cert on HKID card or a floppy, but a trade declaration cannot be signed by HKID card?
Ultimately, by reducing the costly handling of paper, e-business provides the biggest benefit for the government. In order to realise this benefit, the government needs to maximise the convenience of the users. Allowing users to access different applications with the same certificate and the same signing method would be convenient.