3 min read

Cryptomathic’s Signer Builds on the Only QSCD Certified under SOG-IS

Cryptomathic’s Signer Builds on the Only QSCD Certified under SOG-IS

Under eIDAS, a qualified electronic signature creation device (QSCD) must be certified and approved to be used for generating qualified electronic signatures (QES). Cryptomathic’s Signer is the only QSCD that is certified under the SOG-IS agreement using the Common Criteria Recognition Arrangement (CCRA).

Its security target is written in strict conformance with EN 419 241-2: Trustworthy Systems Supporting Server Signing Part 2, Protection Profile for QSCD for Server Signing, CEN April 2019.

The process for becoming SOG-IS certified is quite intense. 

New call-to-actionParticipants must:

  • Perform a stricter interpretation of Common Criteria specifications and prevent the environment from enforcing SFRs
  • Have standardized additional requirements for specific technical domains, including those for smartcards and hardware devices, such as HSMs
  • Have extensive experience with the composite evaluation approach that was created originally for the technical domain of smartcards
  • Understand the consequences of not addressing the integration between software and the underlying platform when considering possible vulnerabilities

Understanding the Importance of SOG-IS

To participate with SOG-IS, Participants must commit themselves to recognize applicable certificates that have been authorized by any Participant who authorizes certificates. These authorizations verify that the evaluation and certification processes have been done in accordance with the following standards:

  • Accepted IT security evaluation criteria
  • Accepted IT security evaluation methods
  • An Evaluation and Certification Scheme that is managed by a compliant Certification Board in authorizing Participant’s country

In addition, the objectives of SOG-IS are satisfied with the issuance of authorized conformant certificates. Certificates that meet all these conditions are named conformant certificates for the purposes of the SOG-IS agreement.

 Selected Signing Services

SOG-IS uses the IT security evaluation criteria that are specified in the Common Criteria for Information Technology Security Evaluation (CC) and the Information Technology Security Evaluation Criteria (ITSEC). The versions endorsed by the Management Committee and evaluation methods are specified in the Common Evaluation Methodology for Information Technology Security Evaluation (CEM), the Information Technology Security Evaluation Manual (ITSEM), and supporting documents from JIWG.

At a minimum, for an evaluation and certification like that of Cryptomathic Signer to be considered as being carried out in a duly professional manner, the Evaluation Facility must either be:

  • Accredited by a recognized Accreditation Body in its respective country in accordance with ISO 17025, or through an interpretation approved by all Participants and approved and licensed under SOG-IS’s Annex B.3; or
  • Established under the laws or other official administrative procedures that are valid in the concerned country and meet the specified requirements under Annex B.3.

Additionally, the Certification Body must be accepted as compliant and also:

Either be accredited in its respective country by a recognized Accreditation Body in accordance with EN 45011 or with a national interpretation of EN 45011 that, at a minimum, satisfies requirements under SOG-IS’s Annex C; or

Be well-established through laws or other valid administrative procedures in the concerned country and meet the requirements of EN 45011 or satisfy the requirements of EN 45011 under SOG-IS’s Annex C.


Benefits Achieved Through SOG-IS Compliance

To maintain the goal of the consistent, credible, and competent application of SOG-IS criteria and methods, Certification Bodies must accept the responsibility for monitoring all active evaluations at an appropriate level. They must also carry out other steps to ensure that all their IT Security Evaluation Facilities:

  • Perform impartial evaluations
  • Correctly and consistently apply the criteria and methods
  • Possess and maintain the technical competencies required by SOG-IS
  • Can protect the confidentiality of protected information


Download white paper