Date: 29 Nov 2013
Issuance of e-Cert (Personal), e-Cert (Organisational) and e-Cert (Encipherment) with 2048-bit RSA Key Length only with effect from 1 January 2014
On 27 April 2012, Hongkong Post Certification Authority (HKPCA) announced the transition plan for issuance of e-Cert (Personal), e-Cert (Organisational) and e-Cert (Encipherment) with 2048-bit RSA key length.
This notice serves to remind applicants and subscribers that starting from 1 January 2014, e-Cert (Personal) (Note 1), e-Cert (Organisational) and e-Cert (Encipherment) will be issued only with 2048-bit RSA key length.
The transition plan is summarized as follows:
Date | Event |
Starting from 1 January 2014 | e-Cert (Personal) (Note 1) / e-Cert (Organisational) / e-Cert (Encipherment) will be issued only with 2048-bit RSA key length. |
Starting from 28 May 2014 | Embedment of e-Cert (Personal) in Smart ID Card will be issued only with 2048-bit RSA key length (Note 2). |
For details, please refer to the relevant announcement issued on 27 April 2012.
[Note 1: For applications requesting for embedding e-Cert (Personal) on Smart ID Card, applicants will be issued with e-Cert (Personal) with 1024-bit RSA key length until 27 May 2014.]
[Note 2: From 28 May 2014, requests for applying e-Cert (Personal) on Smart ID Card will be issued with 2048-bit RSA key length if the applicant is holding a Smart ID Card capable for embedment of e-Cert (Personal) with 2048-bit RSA key length (Please refer to "Tips on checking the version of Smart ID Card" for details.) Issuance of e-Cert (Personal) with 1024-bit RSA key length will be ceased.]
Transition Arrangement for Embedment of e-Cert (Personal) in Smart ID Card with 2048-bit RSA Key Length
The move to use 2048-bit RSA key for cryptographic protection is an industry trend towards the provision of higher level of security for electronic transactions. To be in line with the industry practice, HKPCA has started issuing e-Cert (Personal) with 2048-bit RSA key length on request since 28 June 2012. As the Smart ID card introduced in 2003 can only support e-Cert (Personal) with 1024-bit RSA key length (the de-facto standard for digital certificate RSA key length at that time is 1024-bit), subscribers are encouraged to apply for e-Cert (Personal) with 2048-bit RSA key length and to store their e-Cert (Personal) with 2048-bit RSA key length in other storage media such as e-Cert File Card or e-Cert File USB.
From 28 May 2014, e-Cert (Personal) on Smart ID Card will be issued only with 2048-bit RSA key length. For existing subscribers of e-Cert (Personal) with 2048-bit RSA key length, HKPCA is grateful to offer one new e-Cert (Personal) with 2048-bit RSA key length free of first year subscription fee for embedment in Smart ID Card to these subscribers who satisfy the following two conditions:
(i) Holding a e-Cert (Personal) with 2048-bit RSA key length issued between 28 June 2012 and 27 May 2014 which is still valid as of 28 May 2014; and
(ii) Holding a Smart ID Card that is capable for embedment of the e-Cert (Personal) with 2048-bit RSA key length (Note 3) within the Offer Period (Note 4).
For enquiry, please call Hongkong Post Certification Authority hotline on 2921 6633 or email to enquiry@hongkongpost.gov.hk.
[Note 3: Please refer to "Tips on checking the version of Smart ID Card" for details.]
[Note 4: The offer will be applicable during the validity period of the relevant e-Cert (Personal) plus three months grace period ("Offer Period"), i.e. at a maximum of 3 years and 3 months for the applicable e-Cert (Personal). Only ONE NEW e-Cert (Personal) with 2048-bit RSA key length for embedment in Smart ID Card is offered free of first year subscription fee even though the subscriber may have multiple eligible e-Cert (Personal) with 2048-bit RSA key length.]
Relevant Questions and Answers
1. Does Hong Kong Smart ID Card (HKIC) support e-Cert (Personal) with 2048-bit RSA key length, or e-Cert(P) in short?
The Smart HKICs issued since 2003 can only support e-Cert(P) with 1024-bit RSA key length (the de-facto standard for digital certificate RSA key length at that time is 1024-bit). Drawing reference to the recent technology advancements, industry and market trend, as well as government relevant policy and guidelines, Immigration Department has started since the later half of 2013 to issue HKICs that support e-Cert(P) with 2048-bit RSA key length.
2. How can HKIC holders know if their HKICs can support e-Cert(P) with 2048-bit RSA key length or not?
HKIC holders can check whether their HKICs support e-Cert(P) with 2048-bit RSA key length through the free e-Cert Control Manager, which can be downloaded from the HKPCA website. Subscribers can also find more details from the website and/or contact the e-Cert Customer Services Hotline at (852) 2921 6633 for further advice and assistance.
3. What can subscribers do if they have checked that their HKICs do not support e-Cert(P) with 2048-bit RSA key length?
Subscribers can choose to store their e-Cert(P) with 2048-bit RSA key length in other storage media such as e-Cert File Card (without additional cost), or e-Cert File USB (at extra unit cost of $40).