Cryptomathic’s Signer Builds on the Only QSCD Certified under SOG-IS

Under eIDAS, a qualified electronic signature creation device (QSCD) must be certified and approved to be used for generating qualified electronic signatures (QES). Cryptomathic’s Signer is the only QSCD that is certified under the SOG-IS agreement using the Common Criteria Recognition Arrangement (CCRA).

Its security target is written in strict conformance with EN 419 241-2: Trustworthy Systems Supporting Server Signing Part 2, Protection Profile for QSCD for Server Signing, CEN April 2019.

The process for becoming SOG-IS certified is quite intense.

Participants must:

Perform a stricter interpretation of Common Criteria specifications and prevent the environment from enforcing SFRs
Have standardized additional requirements for specific technical domains, including those for smartcards and hardware devices, such as HSMs
Have extensive experience with the composite evaluation approach that was created originally for the technical domain of smartcards
Understand the consequences of not addressing the integration between software and the underlying platform when considering possible vulnerabilities

Understanding the Importance of SOG-IS

To participate with SOG-IS, Participants must commit themselves to recognize applicable certificates that have been authorized by any Participant who authorizes certificates. These authorizations verify that the evaluation and certification processes have been done in accordance with the following standards:

Accepted IT security evaluation criteria
Accepted IT security evaluation methods
An Evaluation and Certification Scheme that is managed by a compliant Certification Board in authorizing Participant’s country

In addition, the objectives of SOG-IS are satisfied with the issuance of authorized conformant certificates. Certificates that meet all these conditions are named conformant certificates for the purposes of the SOG-IS agreement.

SOG-IS uses the IT security evaluation criteria that are specified in the Common Criteria for Information Technology Security Evaluation (CC) and the Information Technology Security Evaluation Criteria (ITSEC). The versions endorsed by the Management Committee and evaluation methods are specified in the Common Evaluation Methodology for Information Technology Security Evaluation (CEM), the Information Technology Security Evaluation Manual (ITSEM), and supporting documents from JIWG.

At a minimum, for an evaluation and certification like that of Cryptomathic Signer to be considered as being carried out in a duly professional manner, the Evaluation Facility must either be:

Accredited by a recognized Accreditation Body in its respective country in accordance with ISO 17025, or through an interpretation approved by all Participants and approved and licensed under SOG-IS’s Annex B.3; or
Established under the laws or other official administrative procedures that are valid in the concerned country and meet the specified requirements under Annex B.3.

Additionally, the Certification Body must be accepted as compliant and also:

Either be accredited in its respective country by a recognized Accreditation Body in accordance with EN 45011 or with a national interpretation of EN 45011 that, at a minimum, satisfies requirements under SOG-IS’s Annex C; or

Be well-established through laws or other valid administrative procedures in the concerned country and meet the requirements of EN 45011 or satisfy the requirements of EN 45011 under SOG-IS’s Annex C.

Benefits Achieved Through SOG-IS Compliance

To maintain the goal of the consistent, credible, and competent application of SOG-IS criteria and methods, Certification Bodies must accept the responsibility for monitoring all active evaluations at an appropriate level. They must also carry out other steps to ensure that all their IT Security Evaluation Facilities:

Perform impartial evaluations
Correctly and consistently apply the criteria and methods
Possess and maintain the technical competencies required by SOG-IS
Can protect the confidentiality of protected information

References

Selected articles on eIDAS (2014-today), by Gaurav Sharma, Guillaume Forget, Jan Kjaersgaard, Dawn M. Turner, and more
Mutual Recognition Agreement of Information Technology Security Evaluation Certificates, VERSION 3.0 (Jan, 2010), SOG-IS
Trustworthy Systems Supporting Server Signing Part 2: Protection
Profile for QSCD for Server Signing (2019) by CEN/TC 224
About The Common Criteria (retrieved October 2020), by Common Criteria

Benefits of the eIDAS Toolbox – Case Studies from Various Industries (Part 1) (2018), by Gaurav Sharma

Benefits of the eIDAS Toolbox – Case Studies from Various Industries (Part 2) (2018), by Gaurav Sharma

Digital Trade and Trade Financing - Embracing and Shaping the Transformation (2018), by SWIFT & OPUS Advisory Services International Inc
REGULATION (EU) No 1316/2013 establishing the Connecting Europe Facility, amending Regulation (EU) No 913/2010 and repealing Regulations (EC) No 680/2007 and (EC) No 67/2010(12/2013), by the European Parliament and the European Council

Selected articles on Electronic Signing and Digital Signatures (2014-today), by Ashiq JA, Gaurav Sharma, Guillaume Forget, Jan Kjaersgaard , Peter Landrock, Torben Pedersen, Dawn M. Turner, and more