Monday, September 26, 2011

Experience with Hongkong Post e-Cert

In sort, frustrated.

(1) I waited 45 minutes at the designated post office. The staff members there are not so familiar with the system. Moreover, the system halt up and need a reboot. The reboot took 20 minutes. One of the staff members told me that the e-Cert system had not been updated for 10 years.
(2) They mail the smartcard to me, but for a wrong postal address. This is not the first time I apply for Hongkong Post e-Cert. I had put the postal address as my office address this time. However, they actually mailed to my home address.
(3) The smartcard I received is not windows CSP compatible. When I put it into a PC/SC compatible reader, Windows 7 prompt to install drivers. However, the card result in driver not found. The software come with Hongkong Post (downloadable online) actually extract the p12 (PKCS#12) file from the card and save it on to the file system - without the need for the a password/passphase. This means, the card is a memory card. If this is the case, no need to use smartcard as a delivery medium. The principle of using a smardcard is to make sure the private key is not able to be duplicated.
(4) The current CPS stated e-Cert for a person (personal/organizational/encipherment) cannot generate user's own key-pair. The key-pair is generated by Hongkong Post on behalf of the user. This post a risk of key leakage, as mentioned on (3), anyone with the p12 file can brute force the password/passphase. And Hongkong Post use 16-digit numeric only passphase. This make the possibility of getting the private key much easier.
After all, the risks and concerns are quite high in the overall e-Cert provisioning process. I think this should be reported to OGCIO, and the audit body of Hongkong Post e-Cert CA.