Under eIDAS, a qualified electronic signature creation device (QSCD) must be certified and approved to be used for generating qualified electronic signatures (QES). Cryptomathic’s Signer is the only QSCD that is certified under the SOG-IS agreement using the Common Criteria Recognition Arrangement (CCRA).

Its security target is written in strict conformance with EN 419 241-2: Trustworthy Systems Supporting Server Signing Part 2, Protection Profile for QSCD for Server Signing, CEN April 2019.

The process for becoming SOG-IS certified is quite intense. 

Participants must:

• Perform a stricter interpretation of Common Criteria requirements and prevent the environment from enforcing SFRs
• Have harmonized additional requirements for specific technical domains, including those for smartcards and hardware devices, like HSMs
• Have extensive experience with the composite evaluation approach that was created originally for the technical domain of smartcards
• Understand the consequences of not addressing the integration between software and the underlying platform when considering possible vulnerabilities

Understanding the Importance of SOG-IS

To participate with SOG-IS, Participants must commit themselves to recognize applicable certificates that have been authorized by any Participant who authorizes certificates. These authorizations confirm that the processes for evaluation and certification have been conducted in a prescribed professional manner according to:

• Accepted IT security evaluation criteria
• Accepted IT security evaluation methods
• An Evaluation and Certification Scheme that is managed by a compliant Certification Board in authorizing Participant’s country

Additionally, the objectives of SOG-IS are satisfied with the issuance of authorized conformant certificates. Certificates that meet all these conditions are named as conformant certificates for the purposes of the SOG-IS agreement.

SOG-IS uses the IT security evaluation criteria that is specified in the Common Criteria for Information Technology Security Evaluation (CC) and the Information Technology Security Evaluation Criteria (ITSEC). The versions endorsed by the Management Committee and methods for evaluation are those that are specified in the Common Evaluation Methodology for Information Technology Security Evaluation (CEM), the Information Technology Security Evaluation Manual (ITSEM) and supporting documents from JIWG.

At a minimum, for an evaluation and certification like that of Cryptomathic Signer to be considered as being carried out in a duly professional manner, the Evaluation Facility must either be:

• Accredited by a recognized Accreditation Body in its respective country in accordance with ISO 17025, or through an interpretation approved by all Participants and approved and licensed under SOG-IS’s Annex B.3; or
• Established under the laws or other official administrative procedures that are valid in the concerned country and meets the specified requirements under Annex B.3.
  
  

Additionally, the Certification Body must be accepted as compliant and also:

Either be accredited in its respective country by a recognized Accreditation Body according to EN 45011 or with a national interpretation of EN 45011 that at a minimum satisfies requirements under SOG-IS’s Annex C; or

Been established through laws or other administrative procedures that are valid in the concerned country and meets the specifications of EN 45011 or satisfies the requirements of EN 45011 under SOG-IS’s Annex C.

Benefits Achieved Through SOG-IS Compliance

To maintain the goal of consistent, credible, and competent application of SOG-IS criteria and methods, Certification Bodies must accept the responsibility for monitoring all active evaluations at an appropriate level. They must also carry out other steps to ensure that all their IT Security Evaluation Facilities:

• Perform impartial evaluations
• Correctly and consistently apply the criteria and methods
• Possess and maintain the technical competencies required by SOG-IS
• Can protect the confidentiality of protected information

References

• Selected articles on eIDAS (2014-today), by Gaurav Sharma, Guillaume Forget, Jan Kjaersgaard, Dawn M. Turner, and more
• Mutual Recognition Agreement of Information Technology Security Evaluation Certificates, VERSION 3.0 (Jan, 2010), SOG-IS
• Trustworthy Systems Supporting Server Signing Part 2: Protection
  Profile for QSCD for Server Signing (2019) by CEN/TC 224
• About The Common Criteria (retrieved October 2020), by Common Criteria

• Benefits of the eIDAS Toolbox – Case Studies from Various Industries (Part 1) (2018), by Gaurav Sharma

• Benefits of the eIDAS Toolbox – Case Studies from Various Industries (Part 2) (2018), by Gaurav Sharma

• Digital Trade and Trade Financing - Embracing and Shaping the Transformation (2018), by SWIFT & OPUS Advisory Services International Inc
• REGULATION (EU) No 1316/2013 establishing the Connecting Europe Facility, amending Regulation (EU) No 913/2010 and repealing Regulations (EC) No 680/2007 and (EC) No 67/2010(12/2013), by the European Parliament and the European Council

• Selected articles on Electronic Signing and Digital Signatures (2014-today), by Ashiq JA, Gaurav Sharma, Guillaume Forget, Jan Kjaersgaard , Peter Landrock, Torben Pedersen, Dawn M. Turner, and more

• The European Interoperability Framework - Implementation Strategy (2017), by the European Commission