First published: 09th February 2010
About 11am on 9th February, Hongkong Post e-Cert sent email Suspension Notices to all holders of expired e-Certs, including those who also held currently-valid e-Certs, causing confusion, and flooding their hotline with calls.
Hongkong Post is a recognised Certification Authority under Hong Kong's Electronic Transaction Ordinance, which gives digital signatures supported by an e-Cert the same legal status as a handwritten signature. As a public CA, Hongkong Post CA issues recognised digital certificates to individuals and corporations. The certificates have a valid lifespan, of one or more years, when they can be used for signing. Naturally, Hongkong Post retains records of expired certificates - the signatures created during the lifespan of the certificate are still valid, even though the certificate can no longer be used for creating new signatures.
Normally, Hongkong Post sends email reminders to certificate holders about the time their certificate is going to expire. For reasons as yet unexplained, Hongkong Post sent reminders for all expired certificates. The messages did clearly indicate the Subscriber Reference Number and Certificate Serial Number, so it was possible for subscribers to identify that the message referred to an old certificate, not the current certificate the subscribers were using.
We are awaiting further information on this incident from Hongkong Post.
Updated: 24th February 2010
Emily Wong of E-Mice Solutions (HK) Limited, the operator of HKPost e-Cert services, has responded in two emails. Ms. Wong confirmed that a computer-generated "Suspension Notice" was scheduled and released on 8 - 9 February 2010 and therefore the call volume of the e-Cert service hotline was, "a bit higher than normal days as we expected", without specifying the normal call volume, or the size of the spike in demand.
Ms. Wong also explained that this was not an incident - in the instance of Mr. Dyer's certificate, they had, in accordance with their operation procedures, sent a "Subscription Expiry Notice" on 22/04/2008, one month before the expiry date. The "Suspension Notice" sent on 9th February 2010 was a reminder of the suspension, and an explanation of how to reactivate the suspended e-Cert for use, until its final expiry on 22/05/2010.
Ms. Wong emphasised that security was not compromised, "HKPost CA always uses a trustworthy system for the issuance, revocation or suspension, and publication in a publicly available repository of accepted recognized certificates. Further details are disclosed in the e-Cert Certificate Practice Statement ("CPS")".
Our Chief Consultant, Allan Dyer, commented, "This still leaves questions unanswered, why was a Suspension Notice sent 628 days after the suspension, and only 102 days before the certificate expired? I did find it difficult to contact a hotline operator on 9th February, and the impression I received when talking to the operator was that the lines were flooded, so what were the figures, and, if this was an expected increase, why weren't more resources allocated for the period?" Reviewing the surrounding circumstances, Dyer made some recommendations:
- Avoid confusing and inconsistent terminology in notices. The "Subscription Expiry Notice" says, "the first-year subscription period of your e-Cert is about to expire", but later says, "your e-Cert will be suspended and published on the Certification Revocation List to indicate that your e-Cert has ceased to be valid". Valid, invalid, expired, and suspended have closely-related meanings in English, but a suspension is usually temporary, expiry is normally permanent. The confusion is not helped by the varying terminology used in browsers, Internet Explorer reports that certificates are "Valid from" and "Valid to", Firefox specifies their "Validity" as "Issued On" and "Expires On". Sending out a expiry notice when a certificate is about to be suspended might lead a user to apply for a new certificate when their current certificate could still be renewed.
- Simplify notices by omitting irrelevant material. The Expiry notice also says, "If you are a subscriber of e-Cert (Personal / Minor), you have to apply for e-Cert (Personal) and stop using e-Cert (Personal / Minor) when you aged 18", but this is only needed in notices sent to people about to turn 18. Filling the notice with irrelevances increases the possibilities of users missing important details.
- Keep your customers. The information for people turning 18 continues, "The residual subscription period of the e-Cert (Personal / Minor) will become invalid", why not allow a free upgrade for the remainder of the certificate period?
- Review the timing of notices, especially the Suspension Notice. Is there any point in sending the Suspension Notice 628 days after the date the certificate was suspended, inviting the user to renew the certificate for the remaining 102 days until the certificate expires, at a cost of $100, when the user can apply for a new certificate, valid for a full year, for just $50?