Cryptomathic’s Signer is the only qualified (electronic) signature creation device (QSCD) that is certified under the SO-GIS agreement using the Common Criteria Recognition Arrangement (CCRA). Its security target conforms to the certified protection profile EN 419 241-2.
Here we will explain the importance of the Common Criteria Recognition Arrangement.
What Are the Objectives of CCRA?
CCRA participants share the following four objectives:
- Ensuring that the performance of evaluations for Information Technology (IT) products and protection profiles meet strict and consistent standards that are recognized for their significant contribution to promoting confidence in the security of those products and profiles.
- Improving access to evaluated, security-enhanced IT products, and protection profiles.
- Eliminating the burden of duplicate evaluations of IT products and protection profiles.
- Continuous improvement of efficiency and cost-effectiveness of evaluation and certification/validation process for IT products and protection profiles.
Who Belongs to CCRA?
The CCRA has a Management Committee that is made up of senior representatives from each signatory’s country (listed below). The Committee was established to implement the arrangement and provide guidance to the respective national schemes conducting evaluation and validation activities.
Current CCR members include:
- Australia - Australasian Certification Authority (ACA)
- Canada - Canadian Common Criteria Scheme
- France - Agence Nationale de la Sécruité des Systèmes d’Information (ANSSI)
- Germany - Bundesamt für Sicherheit in der Informatinstechnik
- India - Indian Common Criteria Certification Scheme (IC3S)
- Italy - OCSI – Organismo di Certificazione della Sicurezza Informatica
- Japan - JISEC – Japan IT Security Evaluation and Certification Scheme
- Malaysia - CyberSecurity Malaysia
- Netherlands - NSCIB operated by TÜV Rheinland Nederland B.V.
- New Zealand – Australasian Certification Authority (ACA)
- Norway – SERTIT
- Republic of Korea – IT Security Certification Center (ITSCC)
- Singapore – Cyber Security Agency of Singapore
- Spain – Organismo de Certficaci?n de la Seguridad de las Technolgias de la Informaci?n
- Sweden – Swedish Certification Body for IT Security FMV/CSEC
- Turkey – TSE (Turkish Standards Institution) Common Criteria Certification Scheme
- United States – National Information Assurance Partnership
- Austria – Federal Chancellery of Austria
- Czech Republic – National Security Authority of the Czech Republic
- Denmark – Center for Cyber Security
- Ethiopia – Information Network Security Agency (INSA)
- Finland – Finnish Transport and Communications Agency (Traficom)
- Greece – National Intelligence Service
- Hungary – Ministry of National Development
- Indonesia – Badan Siber & Sandi Negara (National Cyber & Crypto Agency) Indonesia
- Israel – The Standards Institution of Israel
- Pakistan – Ministry of Defence
- Poland – Ministerstwo Cyfryzacji (Ministry of Digital Affairs) Departament Cyberbezpieczenstwa (Department of Cybersecurity)
- Qatar – Ministry of Transport and Communication
- Slovak Republic – National Security Authority of the Slovak Republic
- United Kingdom - UK IT Security Evaluation and Certification Scheme
What is the Purpose of the Arrangement?
The purpose of CCRA is to advance the above objectives by creating an environment where IT products and protection profiles that earn a Common Criteria certificate can be used without any further evaluation required.
It works to establish a basis for confidence in the reliability of the judgements used for granting the original certificate by requiring that a Certification/Validation Body (CB) that issues Common Criteria certificates must meet high and consistent standards.
In relation to Qualified Electronic Signatures, the CCRA is a prerequisite for international acceptance of the QSCD certification in a defined legal frameset. It is hence of strong value for banks and institutions with an international focus.
- Selected articles on eIDAS (2014-today), by Gaurav Sharma, Guillaume Forget, Jan Kjaersgaard, Dawn M. Turner, and more
- ETSI TS 101 456 V1.4.3 - Electronic Signatures and Infrastructures (ESI); Policy requirements for certification authorities issuing qualified certificates (05. 2007), by the European Telecommunications Standards Institute ETSI
- CEN/TC 224 - Trustworthy Systems Supporting Server Signing Part 2: Protection Profile for QSCD for Server Signing (05.2018), by AFNOR
- Conformity assessment of Trust Service Providers - Technical guidelines on trust services (2017), by the European Agency for Cyber Security
- Mutual Recognition Agreement of Information Technology Security Evaluation Certificates, VERSION 3.0 (Jan, 2010), SOG-IS
- Trustworthy Systems Supporting Server Signing Part 2: Protection
Profile for QSCD for Server Signing (2019) by CEN/TC 224
- About The Common Criteria (retrieved October 2020), by Common Criteria
- Benefits of the eIDAS Toolbox – Case Studies from Various Industries (Part 1) (2018), by Gaurav Sharma
- Benefits of the eIDAS Toolbox – Case Studies from Various Industries (Part 2) (2018), by Gaurav Sharma
- Digital Trade and Trade Financing - Embracing and Shaping the Transformation (2018), by SWIFT & OPUS Advisory Services International Inc
- REGULATION (EU) No 1316/2013 establishing the Connecting Europe Facility, amending Regulation (EU) No 913/2010 and repealing Regulations (EC) No 680/2007 and (EC) No 67/2010(12/2013), by the European Parliament and the European Council
- Selected articles on Electronic Signing and Digital Signatures (2014-today), by Ashiq JA, Gaurav Sharma, Guillaume Forget, Jan Kjaersgaard , Peter Landrock, Torben Pedersen, Dawn M. Turner, and more
- The European Interoperability Framework - Implementation Strategy (2017), by the European Commission