Date: 27 April 2012
Transition Plan for Issuance of e-Cert with 2048-bit RSA Key Length
This serves as a notice of the plan of Hongkong Post Certification Authority (HKPCA) for transitioning e-Cert (Personal), e-Cert (Organisational) and e-Cert (Encipherment) from 1024-bit to 2048-bit RSA key length. The transition plan is set out as follows:
Date | Event |
Starting from 27 April 2012 | Trial e-Cert (Personal) / e-Cert (Organisational) / e-Cert (Encipherment) with 2048-bit RSA key length for testing is available to relying parties upon request. |
From 28 June 2012 to 31 December 2013 | e-Cert (Personal) / e-Cert (Organisational) / e-Cert (Encipherment) will be issued with 1024-bit RSA key length by default. e-Cert (Personal)Note 1 / e-Cert (Organisational) / e-Cert (Encipherment) with 2048-bit RSA key length will be issued on request. |
Starting from 1 January 2014 | e-Cert (Personal)Note 1 / e-Cert (Organisational) / e-Cert (Encipherment) will be issued with 2048-bit RSA key length only. |
Note 1: For applications requesting for embedding e-Cert (Personal) on Smart ID Card, applicants will only be issued with e-Cert (Personal) with 1024-bit RSA key length. The arrangements for issuance of e-Cert (Personal) on Smart ID Card with 2048-bit RSA key length will be announced in due course.
The move to use 2048-bit RSA key for cryptographic protection is an industry trend towards the provision of higher level of security for electronic transactions. HKPCA has already announced on 1 September 2011 the transition of e-Cert (Server) to 2048-bit RSA key length.
To be in line with the industry practice, relying parties should prepare to support the use of e-Cert with 2048-bit RSA key length in addition to 1024-bit RSA key length. Relying parties should evaluate the implications, if any, on their systems and software, and make them ready for e-Cert with both 1024-bit and 2048-bit RSA key lengths.
Applicants who wish to apply for e-Cert with 2048-bit RSA key length should assess or consult their respective service providers on whether the intended systems or software can support the use of e-Cert with 2048-bit RSA key length.
Starting from 1 January 2014, e-Cert (except for applications requesting for embedding e-Cert (Personal) on Smart ID CardNote 1) will be issued with 2048-bit RSA key length only. As for e-Cert with 1024-bit RSA key length issued before 1 January 2014, they can be used until expiry.
For enquiries, please call Hongkong Post Certification Authority hotline on 2921 6633 or email to enquiry@hongkongpost.gov.hk.
Relevant Questions and Answers
1. Why is it necessary to change the RSA key length of e-Cert to 2048-bit?
The change is in line with industry practice towards the use of 2048-bit RSA key for cryptographic protection to provide higher level of security for electronic transactions.
2. What will be the implications on relying parties?
Relying parties should note that e-Cert with both 1024-bit and 2048-bit RSA key lengths will be available to e-Cert subscribers starting from 28 June 2012. Relying parties should assess their systems and software and make them ready for e-Cert with both key lengths.
3. What will be the implications on e-Cert applicants?
e-Cert applicants who wish to apply for e-Cert with 2048-bit RSA key length should assess or consult their respective service providers on whether the intended systems and software can support the use of e-Cert with 2048-bit RSA key length.
e-Cert applicants who wish to embed e-Cert (Personal) on Smart ID Card should take note of Point 4 below.
4. What will be the implications on subscribers of e-Cert (Personal) on Smart ID Card?
Subscribers of e-Cert (Personal) on Smart ID Card will continue to be issued with e-Cert (Personal) with 1024-bit RSA key length until further notice. The arrangements for issuance of e-Cert (Personal) with 2048-bit RSA key length on Smart ID Card will be announced in due course.
5. What will be the implications on e-Cert subscribers holding e-Cert with 1024-bit RSA key length starting from 1 January 2014?
e-Cert subscribers holding e-Cert with 1024-bit RSA key length can continue to use the e-Cert until expiry. Upon renewal on or after 1 January 2014, e-Cert with 2048-bit RSA key length will be issued. For implications on e-Cert (Personal) on Smart ID Card, please see Point 4 above.
6. Will there be any change in e-Cert application and renewal procedures?
The existing e-Cert application and renewal procedures will remain unchanged. During the period from 28 June 2012 to 31 December 2013, e-Cert applicants may apply for or renew e-Cert with 2048-bit RSA key length. If they do not indicate a choice of key length on their applications, the RSA key length will default to 1024-bit. Starting from 1 January 2014, e-Cert will only be issued with 2048-bit RSA key length for new or renewal applications.
Applicants who wish to apply for or renew e-Cert (Personal) on Smart ID Card should take note of Point 4 above.
7. Where to obtain trial certificates for testing on application systems?
To request for trial certificates for testing, relying parties can call Hongkong Post Certification Authority hotline on 2921 6633 or email to enquiry@hongkongpost.gov.hk.