Skip to main content
SpringerLink
Log in

Common Criteria and Open Source

Experiences from the certification of an open source product

  • Schwerpunkt
  • Published:
Datenschutz und Datensicherheit - DuD Aims and scope Submit manuscript

Abstract

This article discusses challenges of Common Criteria certification and particularly focuses on Free/Libre Open Source Software (FLOSS). It explains how a Common Criteria certification can be performed for a project and how a certification affects the project and the community around it. Of special interest within the EU are applications for the issuance of Qualified Certificates and Time Stamps by so called Trust Service Providers according to the forthcoming EU regulation.

Anyone considering Common Criteria certification may profit from our experiences during the certification of two Open Source products EJBCA[1] and CESeCore[2], at level EAL 4+, and an understanding how the certification relates to potentially interesting use cases.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Similar content being viewed by others

References

  1. EJBCA. http://www.ejbca.org/

  2. CESeCore. http://www.cesecore.eu/

  3. About the Common Criteria. http://www.commoncriteriaportal.org/ccra/

  4. Free-Libre/Open Source Software (FLOSS) and Software Assurance / Software Security, David A. Wheeler, December 11, 2006. http://www.dwheeler.com/essays/oss_software_assurance.pdf

    Google Scholar 

  5. Directive 1999/93/EC of the European Parliament and of the Council of 13 December 1999 on a Community framework for electronic signatures: http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX-:31999L0093:EN:PDF

  6. Proposal for a Regulation of the European Parliament and of the Council on electronic identification and trust services for electronic transactions in the internal market: http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=COM:2012:0238:FIN:EN:PDF

  7. EN 4 19 221 Security requirements for trustworthy systems managing certificates for electronic signatures.

  8. EN 4 19 231 Security requirements for trustworthy systems supporting time-stamping

  9. ENISA Recommendations for TSPs — Security Framework: https://www.enisa.europa.eu/activities/identity-and-trust/library/deliverables/tsp1-framework

  10. ENISA — European Union Agency for Network and Information Security: http://www.etsi.org/

  11. ISO/IEC 15408 Series: Information technology — Security techniques — Evaluation criteria for IT security.

  12. List of official Common Criteria Protection Profiles. http://www.commoncriteriaportal.org/pps/

  13. CC v3.1 release 4. Part 1: Introduction and general model. http://www.commoncriteriaportal.org/files/ccfiles/CCPART1V3.1R4.pdf

  14. CC v3.1 release 4. Common Criteria Evaluation methodology. http://www.commoncriteriaportal.org/files/ccfiles/CEMV3.1R4.pdf

  15. Members of the CCRA. http://www.commoncriteriaportal.org/ccra/members/

  16. Common Criteria User Forum. http://www.ccusersforum.org/

  17. CIMC Protection Profile. http://www.commoncriteriaportal.org/files/ppfiles/cert-issu-v15-seceng.pdf

  18. Collaborative Protection Profiles. http://www.commoncriteriaportal.org/communities/technical_communities.cfm

  19. USB Portable Storage Device Essential Security Requirements. http://www.commoncriteriaportal.org/files/communities/ESR-USB.v2.0.pdf

  20. Standards and Industry Regulations Applicable to Certification Authorities, CA Security Council. https://casecurity.org/wp-content/uploads/2013/04/Standards-and-Industry-Regulations-Applicable-to-Certification-Authorities.pdf

  21. Certificate Authority Audits and Browser Root Program Requirements. https://casecurity.org/2013/10/15/certificate-authority-audits-and-browser-root-program-requirements/

  22. ETSI TS 101 042. http://www.etsi.org/deliver/etsi_ts/102000_102099/102042/02.04.01_60/ts_102042v020401p.pdf

  23. Hardware Security Module, HSM. http://en.wikipedia.org/wiki/Hardware_security_module

Download references

Author information

Authors and Affiliations

  1. Stockholm, Schweden

    Tomas Gustavsson

Authors
  1. Tomas Gustavsson
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Tomas Gustavsson.

Additional information

Tomas Gustavsson, M.Sc has been researching and implementing PKI systems since 1994. CTO at PrimeKey, founder of open source PKI project EJBCA and committed follower of open standards.

Rights and permissions

Reprints and permissions

About this article

Cite this article

Gustavsson, T. Common Criteria and Open Source. Datenschutz Datensich 38, 226–231 (2014). https://doi.org/10.1007/s11623-014-0096-7

Download citation

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s11623-014-0096-7

Search

Navigation