3 min read
Cryptomathic’s Signer Builds on the Only QSCD Certified under SOG-IS
Dawn M. Turner (guest) : 16. November 2020
Under eIDAS, a qualified electronic signature creation device (QSCD) must be certified and approved to be used for generating qualified electronic signatures (QES). Cryptomathic’s Signer is the only QSCD that is certified under the SOG-IS agreement using the Common Criteria Recognition Arrangement (CCRA).
Its security target is written in strict conformance with EN 419 241-2: Trustworthy Systems Supporting Server Signing Part 2, Protection Profile for QSCD for Server Signing, CEN April 2019.
The process for becoming SOG-IS certified is quite intense.
- Perform a stricter interpretation of Common Criteria specifications and prevent the environment from enforcing SFRs
- Have standardized additional requirements for specific technical domains, including those for smartcards and hardware devices, such as HSMs
- Have extensive experience with the composite evaluation approach that was created originally for the technical domain of smartcards
- Understand the consequences of not addressing the integration between software and the underlying platform when considering possible vulnerabilities
Understanding the Importance of SOG-IS
To participate with SOG-IS, Participants must commit themselves to recognize applicable certificates that have been authorized by any Participant who authorizes certificates. These authorizations verify that the evaluation and certification processes have been done in accordance with the following standards:
- Accepted IT security evaluation criteria
- Accepted IT security evaluation methods
- An Evaluation and Certification Scheme that is managed by a compliant Certification Board in authorizing Participant’s country
In addition, the objectives of SOG-IS are satisfied with the issuance of authorized conformant certificates. Certificates that meet all these conditions are named conformant certificates for the purposes of the SOG-IS agreement.
SOG-IS uses the IT security evaluation criteria that are specified in the Common Criteria for Information Technology Security Evaluation (CC) and the Information Technology Security Evaluation Criteria (ITSEC). The versions endorsed by the Management Committee and evaluation methods are specified in the Common Evaluation Methodology for Information Technology Security Evaluation (CEM), the Information Technology Security Evaluation Manual (ITSEM), and supporting documents from JIWG.
At a minimum, for an evaluation and certification like that of Cryptomathic Signer to be considered as being carried out in a duly professional manner, the Evaluation Facility must either be:
- Accredited by a recognized Accreditation Body in its respective country in accordance with ISO 17025, or through an interpretation approved by all Participants and approved and licensed under SOG-IS’s Annex B.3; or
- Established under the laws or other official administrative procedures that are valid in the concerned country and meet the specified requirements under Annex B.3.
Additionally, the Certification Body must be accepted as compliant and also:
Either be accredited in its respective country by a recognized Accreditation Body in accordance with EN 45011 or with a national interpretation of EN 45011 that, at a minimum, satisfies requirements under SOG-IS’s Annex C; or
Be well-established through laws or other valid administrative procedures in the concerned country and meet the requirements of EN 45011 or satisfy the requirements of EN 45011 under SOG-IS’s Annex C.
Benefits Achieved Through SOG-IS Compliance
To maintain the goal of the consistent, credible, and competent application of SOG-IS criteria and methods, Certification Bodies must accept the responsibility for monitoring all active evaluations at an appropriate level. They must also carry out other steps to ensure that all their IT Security Evaluation Facilities:
- Perform impartial evaluations
- Correctly and consistently apply the criteria and methods
- Possess and maintain the technical competencies required by SOG-IS
- Can protect the confidentiality of protected information
References
- Selected articles on eIDAS (2014-today), by Gaurav Sharma, Guillaume Forget, Jan Kjaersgaard, Dawn M. Turner, and more
- Mutual Recognition Agreement of Information Technology Security Evaluation Certificates, VERSION 3.0 (Jan, 2010), SOG-IS
- Trustworthy Systems Supporting Server Signing Part 2: Protection
Profile for QSCD for Server Signing (2019) by CEN/TC 224 - About The Common Criteria (retrieved October 2020), by Common Criteria
- Benefits of the eIDAS Toolbox – Case Studies from Various Industries (Part 1) (2018), by Gaurav Sharma
- Benefits of the eIDAS Toolbox – Case Studies from Various Industries (Part 2) (2018), by Gaurav Sharma
- Digital Trade and Trade Financing - Embracing and Shaping the Transformation (2018), by SWIFT & OPUS Advisory Services International Inc
- REGULATION (EU) No 1316/2013 establishing the Connecting Europe Facility, amending Regulation (EU) No 913/2010 and repealing Regulations (EC) No 680/2007 and (EC) No 67/2010(12/2013), by the European Parliament and the European Council
- Selected articles on Electronic Signing and Digital Signatures (2014-today), by Ashiq JA, Gaurav Sharma, Guillaume Forget, Jan Kjaersgaard , Peter Landrock, Torben Pedersen, Dawn M. Turner, and more
- The European Interoperability Framework - Implementation Strategy (2017), by the European Commission