Public Key Infrastructure

Public Key Infrastructure Technology

Certification Authorities and Digital Certificates

The effective operation of PKI very much depends on the support of a CA. The main role of a CA is to act as a trusted third party to verify the identity of digital certificate subscribers.

The subscriber can generate the public/private key pair using an application, for example, or a browser running on a workstation. The browser then automatically sends the public key, together with a certificate request, to the CA server. The CA server then creates and digitally signs the subscriber's certificate, subject to positive verification of the subscriber's identity; and sends one copy of the certificate to a Directory Server, while another copy goes to the subscriber. Upon receiving a copy of the certificate, the subscriber can export it together with generated keys to a token, such as floppy diskette or a smart card, for portability among PKI-enabled applications on various platforms.

The Hongkong Post is the first publically recognised CA under the Electronic Transactions Ordinance ("ETO") (Cap. 553). Any organisation and member of the public can buy digital certificates in Hong Kong from Hongkong Post, and they issue different types of digital certificate such as e-Certs, Bank-Certs and Mobile e-Certs. There are also a number of other recognised CAs under the Electronic Transactions Ordinance.