《葉謝鄧》合伙人


  • 葉謝鄧律師行:分行多、律師眾、資歷厚、經驗豐、實力強
    高級合伙人:謝連忠律師。執業14年‧創辦葉謝鄧律師行‧曾接受各大媒體無數訪問、婚姻監禮人。
    疏忽傷亡索償管理合伙人:謝連豐律師。本行辦超過600宗傷亡索償,賠償總額億計。
    債務重組、破產案管理合伙人:孫楚雍律師。本行已辦理過千宗IVA、超過五千宗破產。
    樓宇買賣、贖樓、IVA、破產案合伙人:鄧達明律師。本行已辦理過千宗IVA、超過五千宗破產。

Hot Sites



Hongkong Post's new root certificateadmitted to Microsoft Root Certificate Program

Hongkong Post's new root certificate ("Hongkong Post Root CA 1") was admitted to the Microsoft Root Certificate Program

Starting from April 2004, Hongkong Post's new root certificate ("Hongkong Post Root CA 1") was admitted to the Microsoft Root Certificate Program, in addition to the old root certificate ("Hongkong Post Root CA") which had already been admitted in July 2003. The program aims at protecting Microsoft customers from security issues related to the use of public key infrastructure (PKI) certificates. This means that Internet Explorer and Outlook Express users of Windows XP and Windows 2003 will now trust certificates issued by Hongkong Post under the two root certificates.

Users on platforms before Windows XP can also pick up and install the two Hongkong Post root certificates to their operating systems when they perform the Windows Update at URL, http://windowsupdate.microsoft.com. Please note that Root Certificate Update is not a critical update and users need to explicitly click-open the optional Windows 98/ME/NT/2000 Update list to include the Root Certificate Update.

The admission of Hongkong Post to the Microsoft Root Certificate Program is a solid proof of the trustworthiness of the Hongkong Post CA System and e-Cert.

Disclosure Records of Recognized Certification Authorities

In accordance with section 31(1) of the Electronic Transactions Ordinance (Cap. 553) (the Ordinance), the Director of Information Technology Services must maintain for each recognized certification authority (CA) an on-line and publicly accessible record.

As at today, the following disclosure recrords are found on the following links:

1. Disclosure Record for Digi-Sign Certification Services Limited

2. Disclosure Record for HiTRUST.COM (HK) Incorporated Limited

3. Disclosure Record for the Postmaster General

Disclosure Record for Other Recognized CA

Currently, there is no other CA who is recognized under the Ordinance. Therefore, the above 3 CAs are the only recognised CA as at 23rd June 2004.

Archive of Disclosure Record for CA Whose Recognition Has Been Revoked

1. Disclosure Record for Joint Electronic Teller Services Limited

HiTRUST.COM (HK) Incorporated Limited

HiTRUST.COM (HK)

HiTRUST was incorporated in Hong Kong in August 2000. It is a joint venture of HiTRUST Incorporated and the New World Group.

Being a Recognized Certificate Authority certified by Hong Kong government as well as a VeriSign International Affiliate, HiTRUST.COM (HK) is specialized in the provision of managed digital certificate services to help enterprises sharpen its competence in the trust e-commerce world.

HiTRUST Incorporated

Founded in March 1998, HiTRUST's core business is the provision of solutions for secure eCommerce. In April 2000, HiTRUST.COM Incorporated was officially established with capital of about US$100 million. The major shareholders include Acer Group, HSBC, New World Group, AIG and VeriSign. The continuous growth of HiTRUST has been achieved through an unrivalled commitment to, and focus on, commercially successful, secure eCommerce.

Targeting the Greater China region, HiTRUST has been successfully providing leading-edge, trusted total solutions and customized, high added-value services including Commerce Content, eBusiness Operation, ePayment & eBilling, Financial Services Software, Application Server and eCommerce Security to the region's corporations, telecommunication companies, financial institutions and service providers.

HiTRUST's success depends on its product offerings and reputation for value and trust in the secure eCommerce industry. Early on, HiTRUST identified the opportunities developing in the region and has expanded its business operation into Taiwan, Hong Kong, Shanghai and Beijing, by opening its branch offices and strategic investment in eCommerce related businesses. In the future, HiTRUST will continuously offer industry-leading technologies and services to customers in the Greater China region and its brand will remain at the head of the region's secure eCommerce industry.

Liability

The conditions on using a digital certificate will deal with the liability of the certificate owner and the CA. The following is taken from the Certificate Practice Statement (CPS) of CA of the University of Science and Technology and are quoted here as an example:

Liability of Certificate Owner

Without limiting other certificate owner obligations stated in the CPS, certificate owners are liable for any mis-representation they make in certificates to third parties that, reasonably rely on the representations contained therein.

Liability of HKUST CA

HKUST CA :

· Does not warrant the accuracy, authenticity, completeness or fitness of any unverified information contained in certificates or otherwise compiled, published, or disseminated by or on behalf of HKUST CA.

· Shall not incur liability for representations of information contained in a certificate, provided the certificate content substantially complies with the CPS.

· Does not warrant "non-repudiation" of any certificate or message (because non-repudiation is determined exclusively by law and the applicable dispute resolution mechanism).

Certificate Repository

Certificate Internal Database is a database to keep track of the pending certificate request, issued or revoked certificate, private Certificate Revocation List (CRL), etc. Only RA and CA have the rights to update this database. A web user interface will be provided for users to query the status of their certificate requests and any issued or revoked certificate. Various fields in certificate, such as serial no, expiry date, subject name, etc will be indexed. This will allow faster queries based on these standard attributes.

A high performance directory server, based on the IETF LDAP standard, is used as a public repository of Certificate Revocation List (CRL), user and CA certificates. Its design is based on the RFC 2587 schema. A standard LDAP interface will be provided to native client for retrieving certificate for applications like S/MIME or SSL client authentication.

HKU Certification Authority (HKUCA)

HKU Certification Authority (HKUCA), run by the HKU Computer Centre, set up public key infrastructure (PKI) to issue HKU digital certificates (HKU-Cert) from 22nd September 2000 to current HKU staff and students (HKU members).

Personal: the HKU-Cert of a HKU member serves as his digital identity for him to authenticate himself and sign electronically in using HKU Electronic Services Delivery (HKUESD) of digital signature applications.

Server: from 1st February 2002, HKUCA also issues HKU-Cert (Server) to administrators of computer servers approved by HKUCA. The server named in a HKU-Cert (Server) can use the certificate in applications employing Secure Socket Layer (SSL) encryption.

According to the University, HKUCA is not seeking Recognized CA status, as defined in the Electronic Transactions Ordinance, from the Director of Information Technology Services Department of the HK SAR Government. Therefore, HKUCA is not subject to the governing rules and regulations set out in the Electronic Transactions Ordinance.

New Offences under ETO

To safeguard the integrity and trustworthiness of the CA system, three new offences were created by the Electronic Transactions Ordinance, even of which can result in fine or imprisonment if offended.

obligation of secrecy under s.46

a person who has access to any record, book, register, correspondence, information, document or other material in the course of performing a function under or for the purposes of this Ordinance shall not disclose or permit or suffer to be disclosed such record, book, register, correspondence, information, document or other material to any other person.

false information under s.47

A person who knowingly or recklessly makes, orally or in writing, signs or furnishes any declaration, return, certificate or other document or information required under this Ordinance which is untrue, inaccurate or misleading commits an offence and is liable in the case of an individual to a fine at level 6 and to imprisonment for 6 months and in any other case, to a fine at level 6.

false claim as recognised CA under s.48

A person who makes a false claim that a person is a recognized certification authority commits an offence and is liable in the case of an individual to a fine at level 6 and to imprisonment for 6 months and in any other case, to a fine at level 6.

Digi-Sign Certification Services Limited (Digi-Sign)

Digi-Sign is the first private CA recognised pursuant to the Electronic Transactions Ordinance. Its recognition status was granted by the Director of Information Technology Services in July 2001 on application by Digi-Sign.

Digi-Sign was only set up in October 2000. Its services as a certification authority was prior to its recognition operated by Tradelink (full name being Tradlink Electronic Commerce Limited). Digi-Sign is therefore a spin-off and wholly-owned subsidiary of Tradelink. At the time of the recognition, Digi-Sign issues two classes of recognised digital certificate.The two classes of recognised certificates are called ID-Cert. They are issued by Digi-Sign under the Certification Practice Statement (CPS) issued by Digi-Sign.

  • Personal ID-Cert Class 1 and
  • Organizational ID-Cert Class 2
  • Reference : see 'Recognition Status' page at Digi-Sign's web-site.

    Like any other certification authorities, Digi-Sign publishes a CPS. It sets out the practices to register subscribers, verify the subscriber applications, manage and control the processing of digital certificate issuance, acceptance of the certificates by the subscribers, suspension and revocation of the certificate.

    To download the CPS, please visit the relevant page and link at the web-site of Digi-Sign.

    Recognition authority and Certificates

    Director of Information Technology Services (DITS) is the authority to grant Government recognition

    The Director may recognise certificates issued by a recognised authority as recognised certificates

    Number of CAs and Recognition

    By the HKSAR Government's policy, there is no exclusivity in CA services Number of CAs to be determined by the market. Presently, the Postmaster General is a CA statutorily recognized by the Ordinance. The Postmaster General is a recognised certification authority by virtue of the Electronic Transactions Ordinance. Digi-Sign is an example of a private recognised CA.

    Recognised CA's Code of Practice

    In accordance with section 33 of the Electronic Transactions Ordinance, the Director of Information Technology Services (the Director) may issue a code of practice specifying standards and procedures for carrying out the functions of recognized certification authorities.

    The Code of Practice for Recognized Certification Authorities published in January 2000.

    Supplementary Note to the Code of Practice for Recognized Certification Authorities on 28 March 2001.

    Period of recognition of CA

    The validity period for recognition of a CA will normally be two years. The recognized CA may apply to the Director for renewal of the recognition. In accordance with section 27(2) of the Ordinance, an application for renewal must be made at least 30 days before but not earlier than 60 days before the expiry of the period of validity of the recognition.

    Assessment Report on CA

    S.20(3)(b) states that a CA applying for recognition must furnish to the Director a report containing an assessment as to whether the CA is capable of complying with provisions of the Ordinance applicable to a recognized CA and the Code of Practice.

    The report shall be prepared by a person acceptable to the Director as being qualified to give such a report. Qualifications of the person are set out in section 12 of the Code of Practice.

    Basis of CA's Recognition

    Recognition shall only be granted to those CAs that have achieved a standard acceptable to the Government. Section 21(4) of the Ordinance states that in determining whether the applicant is suitable for recognition, the Director shall, in addition to any other matter the Director considers relevant, take into account the following :

    1. whether the applicant has the appropriate financial status for operating as a recognized CA in accordance with the Ordinance and the Code of Practice;

    2. the arrangements put in place or proposed to be put in place by the applicant to cover any liability that may arise from its activities relevant for the purposes of the Ordinance;

    3. the system, procedure, security arrangements and standards used or proposed to be used by the applicant to issue certificates to subscribers;

    4. the report, referred to in section 20(3)(b) of the Ordinance, which contains an assessment as to whether the applicant is capable of complying with provisions of the Ordinance applicable to a recognized CA and the Code of Practice;

    5. whether the applicant and its responsible officers are fit and proper persons; and the reliance limits set or proposed to be set by the applicant for its certificates.

    The CA Recognition Scheme

    s.20 (1) of the Ordinance, certification authorities (CAs) may seek recognition from the Director of Information Technology Services (the Director). On application by a CA, the Director may grant recognition under the Ordinance to the CA and/or to all certificates, or a particular type, class or description of certificates or a particular certificate issued or to be issued by the CA.

    Recognition Scheme for Certification Authorities (CAs)

    The recognition scheme for Certification Authorities (CA) is entirely voluntary to CA. A CA can carry on the business as a CA without getting a recognition status. For instance, Tradelink has been practising as a CA since 1997. In some countries like Malaysia, CA must be licensed by the Government and persons carrying on CA business without a licence is an offence in law.

    The benefit of having a recognition status is a recognised CA can have the benefits of the protections given by the Ordinance regarding its liabilities. Besides, a recognised digital signature generated by a recognised CA can have the legal status of a manual signature. Government services obtained under the ESD Scheme requires the use of digital signature given by a recognised CA for the purpose of authenticating the individual's or organisation's identity and to bind their legal commitment.

    The recognition scheme is monitored and serviced by the Director of Information Technology Service (DITS) through the Recognition Office of its department.

    Digi-Sign and Guangdong Electronic Certification Authority cooperate on "Unified-Cert" Service

    Digi-Sign Certification Services Limited(Digi-Sign) announced today the cooperation with Guangdong Electronic Certification Authority (GDCA) on the "Unified-Cert" service, which makes it possible for residents based in Mainland China to procure both the Digi-Sign ID-Cert and the digital certificate of GDCA in one single application. The new service is expected to bring the level of online transactions between the two places to a new height.

    Digi-Sign Certification Services Limited is a wholly-owned subsidiary of Tradelink. It is the first private Certification Authority recognized by the Hong Kong SAR Government under the Electronic Transactions Ordinance. Branded ID-Cert, the digital certificates issued by Digi-Sign can be used to authenticate a wide range of trade transactions online including government transactions, internet banking, legal document service, online stock trading, online betting service, etc. So far, over 170,000 ID-Certs have been issued.

    Guangdong CA, established in 2000, is the certification authority approved by the Guangdong provincial government. The Guangdong CA digital certificate, about 180,000 have been issued so far, has been widely adopted as a trusted and secure solution for online applications such as tax submission, trade declarations, electronic tendering and purchasing as well as several major e-government development projects.

    Justin Yue, Chairman of Digi-Sign, said, "The cooperation between GDCA and Digi-Sign has expanded the scope of the use of digital certificates. Customers in Hong Kong and Guangdong can now benefit from a trusted and secure solution to conduct online transactions. At the same time, it also promotes further the facilitation of trade and the development of e-commerce between the two places."

    Mr. Yin Guan Xin, director of GDCA, said, "Both Hong Kong and Guangdong have established their respective Electronic Transaction Ordinance (ETO), which provides a legal framework enabling electronic records and digital signatures to enjoy legal recognitions similar to their paper-based counterparts. This legal framework will also act as a common platform for further cooperation between GDCA and Digi-Sign. The joint "Unified-Cert" service, which brings to customers a convenient and reliable authentication service, will certainly leads to an increase of online activities between Hong Kong and Guangdong."

    Customers who are Mainland residents in possession of valid travel documents to Hong Kong or Hong Kong Identity Card holders are eligible to apply the "Unified-Cert" with a validity of 2 years. For details, please visit the websites of Digi-Sign (www.dg-sign.com) or GDCA (www.cnca.net).


    Two more private companies become recognized CA: HiTRUST and JETCO

    The Director of Information Technology Services (the Director), Mr Alan Wong Chi-kong, today (April 29) granted recognition to HiTRUST.COM (HK) Incorporated Limited (HiTRUST) and Joint Electronic Teller Services Limited (JETCO) as recognized certification authorities under the Electronic Transactions Ordinance (Cap. 553).

    To foster the development of electronic commerce in Hong Kong, the Government has taken the initiative under the "Digital 21" Information Technology Strategy to provide a secure environment for the conduct of electronic transactions by members of the public.

    As part of this initiative, the Government has established the voluntary recognition scheme for certification authorities under the Electronic Transactions Ordinance.

    A certification authority issues digital certificates to subscribers, allowing them to conduct electronic transactions with other parties in a secure manner.

    "The Government encourages the private sector to provide services as certification authorities. To keep regulatory control to the minimum, there is no mandatory licensing requirement for certification authorities to operate in Hong Kong. Instead, certification authorities may apply to the Director for recognition under the voluntary recognition scheme," said a spokesman for the Information Technology Services Department (ITSD).

    Being a recognized certification authority will enhance public confidence in using the service of the certification authority, because the Director will only grant recognition to a certification authority which has reached a trustworthy standard acceptable to the Government.

    With recognition granted by the Director to HiTRUST and JETCO, there are now four recognized certification authorities operating in Hong Kong.

    The other two recognized certification authorities are Digi-Sign Certification Services Limited that was granted recognition by the Director in July 2001, and the Postmaster General who is a recognized certification authority as provided under the Electronic Transactions Ordinance. The Postmaster General started operation of the Hongkong Post Certification Authority in January 2000.

    "It is encouraging to see that there are now multiple recognized certification authorities operating in Hong Kong, providing the public with more choices. It demonstrates business interests and opportunities in the local market in respect of the provision of certification authority services that will facilitate and drive the public to conduct more electronic transactions in a secure manner," the spokesman added.

    Under the voluntary recognition scheme, the Director may also grant recognition on application to digital certificates issued by a recognized certification authority. The Director has granted recognition to two types of digital certificate that HiTRUST will issue to individuals and organisations, and to one type of digital certificate that JETCO will issue to individuals.

    More details of the voluntary recognition scheme are available on the web site of ITSD (http://www.itsd.gov.hk/itsd/caro/ecaro.htm).

    Under the Electronic Transactions Ordinance, the Director needs to maintain a disclosure record for each recognized certification authority. The disclosure records for HiTRUST and JETCO are also available on the ITSD web site.

    End/Monday, April 29, 2002

    HiTRUST.COM (HK) AWARDED Recognized Certification Authority by HKSAR government

    pic_cabThe Hong Kong Information Technology Services Department ('ITSD') has granted recognition to HiTRUST.COM (HK) Incorporated Limited ('HiTRUST') as a Recognized Certification Authority ('RCA') under the Electronic Transactions Ordinance (Cap. 553) ('ETO').

    Various types of digital certificate services are currently being offered by HiTRUST, ranging from server certificate for SSL secure web site, individual certificates for secure messaging, to device certificate deploying on mobile phone or cable modem.

    According to the regulation set in the ETO, only the digital signatures generated by using RCA's digital certificate are regarded as statutory signatures and subsequently under the protection of the ETO.

    Being a RCA, according to the voluntary recognition scheme for certification authorities under the ETO, it is regarded to be qualified in protecting consumers' interests and in general enhance public confidence in electronic transactions.

    Aspects concerned are Certificate Practice Statement, certificate generation and issuance procedures, liability and insurance coverage, disaster restoring plan, information security, facilities security, personnel security and corporate financial viability, etc.

    Under the ETO, ITSD needs to maintain a disclosure record for each recognized certification authority. The disclosure records for HiTRUST can be found on the ITSD web site at https://secure1.info.gov.hk/itsd/english/caro/esub43.htm.

    Hongkong Post and Guangdong Electronic Certification Authority cooperate on Cross Certification Arrangement

    Hongkong Post today (March 20) announced an arrangement to step up the cooperation between Hongkong Post Certification Authority and Guangdong Electronic Certification Authority in the area of cross certification.

    Mr Luk Ping-chuen, the Postmaster General, signed a "Cross Certification Cooperation Arrangement" with Mr Sun Xiaohe, Vice President of the Guangdong Electronic Certification Authority Ltd today in Guangzhou. The two parties will explore the establishment of a reliable and seamless cross-certification system between the two Certification Authorities in Hong Kong and Guangdong. In addition, they will explore joint procurement and development of open PKI based applications to facilitate secure transactions over the Internet. This collaboration signifies Hongkong Post's initiative in promoting closer ties with the certification authorities in the Mainland and in fostering e-commerce activities between Hong Kong and Guangdong.

    Mr Luk said, "We are delighted to be able to establish closer cooperation relationship with Guangdong Electronic Certification Authority. Such cooperation will enhance both parties' positioning as major leading Internet hub in South China and help promote e-commerce in the region."

    Mr Luk added, "Hongkong Post will continue to explore opportunities to enlist more partners to promote cross-certification co-operation in order to promote the use of digital certificate around the world."

    The ceremony was witnessed by Ms Adeline Wong, Principal Assistant Secretary, Information Technology and Broadcasting Bureau of the Hong Kong Special Administrative Region Government and Mr Xu Zhibiao, Director of Guangdong Information Industry Department.

    Hongkong Post is the first public certification authority in Hong Kong recognised under the Electronic Transactions Ordinance enacted in January 2000. The digital certificates issued by Hongkong Post, officially known as the e-Cert, allows people to authenticate the identity of digital certificate holders on the Internet. Hongkong Post e-Certs play an integral part of the new Smart ID Card replacement exercise scheduled to commence in mid-2003. Under this Scheme, each of the 6.8 million smart ID cardholders will be offered an option to embed a Hongkong Post e-Cert on their Smart ID Cards. With all these efforts, the Hongkong Post Certification Authority services will continue to provide a solid infrastructure and foster a secure and trusted e-commerce environment in the region.

    《香港電子法律》書介

    星級法律網