Date: 22 Jul 2015
Transition Plan for Issuance of e-Cert (Server) Supporting Online Certificate Status Protocol
Online Certificate Status Protocol ("OCSP") is one of the two mechanisms for obtaining the revocation status of a digital certificate. The existing mechanism is the Certificate Revocation List ("CRL") that Hongkong Post Certification Authority ("HKPCA") has been publishing for years. Since OCSP has become the Baseline Requirement published by CA/Browser Forum#1 for the issuance of SSL certificates, major CAs have already started to issue SSL certificates supporting OCSP. To be in line with industry practice, Hongkong Post Certification Authority (HKPCA) will issue e-Cert (Server) supporting OCSP in phases according to the following transition plan:
Date | Event |
With immediate effect | Trial e-Cert (Server) supporting OCSP is available for testing upon request |
From 1 September 2015 to 31 August 2016 |
e-Cert (Server) supporting OCSP will be issued by default. Existing e-Cert (Server) not supporting OCSP with 1-year validity period will only be issued upon written request. |
Starting from 1 September 2016 |
Only e-Cert (Server) supporting OCSP will be issued. All e-Cert (Server) not supporting OCSP will CEASE to be issued. |
As only e-Cert (Server) supporting OCSP will be issued starting from 1 September 2016, e-Cert (Server) subscribers should prepare for the use of e-Cert (Server) supporting OCSP and evaluate the implications, if any, to their servers and related client applications. To request for trial certificates for testing, please call Hongkong Post Certification Authority hotline on 2921 6633 or email to enquiry@hongkongpost.gov.hk.
#1 The CA/Browser Forum is an international organization of Certification Authorities and suppliers of Internet browser and other rely-party software applications.
Support Arrangement on the Replacement Service for Existing e-Cert (Server) Certificates not supporting OCSP
Hongkong Post Certification Authority (HKPCA) will offer a replacement service for e-Cert (Server) supporting OCSP to existing e-Cert (Server) subscribers.
The support arrangement on the replacement service is summarized as follows:
Period | 1 September 2015 until 31 December 2017 |
Customers | Existing subscribers who have any e-Cert (Server) not supporting OCSP. |
Support Arrangement | Provision of replacement new e-Cert (Server) supporting OCSP, with free subscription fee within the validity period of original e-Cert(Notes). |
How-to Apply | Call our hotline service 2921 6633 or through email enquiry@hongkongpost.gov.hk to check eligibility of offer and arrange replacement. |
Notes:
1: Subscription fee of the replacement e-Cert (Server) supporting OCSP during the validity period will be charged on a pro-rata monthly basis for the period beyond the expiry date of the original e-Cert (Server) not supporting OCSP. An invoice will be sent to the subscriber directly for the successful application. If no payment is received, we reserve the rights, to suspend the replacement e-Cert (Server) supporting OCSP after the expiry date of the original e-Cert (Server) not supporting OCSP.
2: The type of the replacement e-Cert (Server) supporting OCSP will be consistent with the original e-Cert (Server) not supporting OCSP.
3: The validity period of the replacement e-Cert (Server) supporting OCSP must not be shorter than the remaining validity period of the original e-Cert (Server) not supporting OCSP.
Example:
Assuming the validity of the current e-Cert (Server) not supporting OCSP (without "Wildcard" feature and "Multi-domain" feature) is on 30 June 2016 and the replacement 2-year e-Cert (Server) supporting OCSP (without "Wildcard" feature and "Multi-domain" feature) has a validity period from 1 January 2016 to 31 December 2017, the number of remaining months of validity of the replacement e-Cert (Server) would be 18 months (i.e. July 2016 to December 2017). The subscriber will be charged on a pro-rata monthly basis, currently at discounted price HK$187.5 per remaining month, for a total of HK$3,375.
For enquiry, please call Hongkong Post Certification Authority hotline at 2921 6633 or email to enquiry@hongkongpost.gov.hk.
Frequently Asked Questions
1. Why is it necessary to use e-Cert (Server) supporting OCSP?
The Online Certificate Status Protocol (OCSP) is an alternative to Certificate Revocation List (CRL), both are used for getting the e-Cert’s revocation status. The OCSP contains less information than a typical CRL, therefore it puts less burden on network and client resources. The e-Cert (Server) supporting OCSP is considered to be more robust than the existing e-Cert (Server) not supporting OCSP.
2. What will be the implications to the existing subscribers of e-Cert (Server) and relying parties?
Hongkong Post e-Cert(Server) supporting OCSP is similar to original e-Cert(Server), for which the OCSP function is enabled. Relying application owners, however, are recommended to verify whether code changes are required. Starting from 1 September 2015, HKPCA will start to issue e-Cert (Server) supporting OCSP by default. HKPCA will issue e-Cert (Server) not supporting OCSP with 1-year validity period until 31 August 2016 upon written request only. Server administrators and relying parties should assess their systems and software and make them ready for e-Cert (Server) supporting OCSP.
3. Will there be any change in e-Cert (Server) subscription and revocation procedures?
The existing e-Cert (Server) subscription and revocation procedures will remain unchanged. During the period from 1 September 2015 to 31 August 2016, e-Cert (Server) supporting OCSP will be issued by default. Old e-Cert (Server) not supporting OCSP with 1-year validity period will only be issued upon written request. Starting from 1 September 2016, only e-Cert (Server) supporting OCSP will be issued for new or renewal applications.
4. We are using e-Cert (Server) not supporting OCSP and has not expired yet. Do I need to pay more for the new e-Cert (Server) supporting OCSP?
A support arrangement on the replacement service for existing e-Cert (Server) not supporting OCSP is available to subscribers. Subscription fee of the replacement e-Cert (Server) supporting OCSP certificate during the validity period will be charged on a pro-rata monthly basis for the period beyond the expiry date of the original e-Cert (Server) not supporting OCSP. An invoice will be sent to the subscriber directly for success application. If no payment is received, we reserve the rights, to suspend the replacement e-Cert (Server) supporting OCSP after the expiry date of the original e-Cert (Server) certificate.
5. We want to apply for the support arrangement for replacement of existing e-Cert (Server) not supporting OCSP. What is the application procedure?
Existing subscribers who have e-Cert (Server) not supporting OCSP can call our hotline service 2921 6633 or through email enquiry@hongkongpost.gov.hk to apply.
6. Our servers are using e-Cert (Server) not supporting OCSP. May I request for trial certificates to perform testing on our servers?
Trial e-Cert (Server) supporting OCSP is available for testing upon request. To request for trial certificates for testing, please call Hongkong Post Certification Authority hotline on 2921 6633 or email to enquiry@hongkongpost.gov.hk.