Abstract
This article discusses challenges of Common Criteria certification and particularly focuses on Free/Libre Open Source Software (FLOSS). It explains how a Common Criteria certification can be performed for a project and how a certification affects the project and the community around it. Of special interest within the EU are applications for the issuance of Qualified Certificates and Time Stamps by so called Trust Service Providers according to the forthcoming EU regulation.
Anyone considering Common Criteria certification may profit from our experiences during the certification of two Open Source products EJBCA[1] and CESeCore[2], at level EAL 4+, and an understanding how the certification relates to potentially interesting use cases.
Similar content being viewed by others
References
EJBCA. http://www.ejbca.org/
CESeCore. http://www.cesecore.eu/
About the Common Criteria. http://www.commoncriteriaportal.org/ccra/
Free-Libre/Open Source Software (FLOSS) and Software Assurance / Software Security, David A. Wheeler, December 11, 2006. http://www.dwheeler.com/essays/oss_software_assurance.pdf
Directive 1999/93/EC of the European Parliament and of the Council of 13 December 1999 on a Community framework for electronic signatures: http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX-:31999L0093:EN:PDF
Proposal for a Regulation of the European Parliament and of the Council on electronic identification and trust services for electronic transactions in the internal market: http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=COM:2012:0238:FIN:EN:PDF
EN 4 19 221 Security requirements for trustworthy systems managing certificates for electronic signatures.
EN 4 19 231 Security requirements for trustworthy systems supporting time-stamping
ENISA Recommendations for TSPs — Security Framework: https://www.enisa.europa.eu/activities/identity-and-trust/library/deliverables/tsp1-framework
ENISA — European Union Agency for Network and Information Security: http://www.etsi.org/
ISO/IEC 15408 Series: Information technology — Security techniques — Evaluation criteria for IT security.
List of official Common Criteria Protection Profiles. http://www.commoncriteriaportal.org/pps/
CC v3.1 release 4. Part 1: Introduction and general model. http://www.commoncriteriaportal.org/files/ccfiles/CCPART1V3.1R4.pdf
CC v3.1 release 4. Common Criteria Evaluation methodology. http://www.commoncriteriaportal.org/files/ccfiles/CEMV3.1R4.pdf
Members of the CCRA. http://www.commoncriteriaportal.org/ccra/members/
Common Criteria User Forum. http://www.ccusersforum.org/
CIMC Protection Profile. http://www.commoncriteriaportal.org/files/ppfiles/cert-issu-v15-seceng.pdf
Collaborative Protection Profiles. http://www.commoncriteriaportal.org/communities/technical_communities.cfm
USB Portable Storage Device Essential Security Requirements. http://www.commoncriteriaportal.org/files/communities/ESR-USB.v2.0.pdf
Standards and Industry Regulations Applicable to Certification Authorities, CA Security Council. https://casecurity.org/wp-content/uploads/2013/04/Standards-and-Industry-Regulations-Applicable-to-Certification-Authorities.pdf
Certificate Authority Audits and Browser Root Program Requirements. https://casecurity.org/2013/10/15/certificate-authority-audits-and-browser-root-program-requirements/
ETSI TS 101 042. http://www.etsi.org/deliver/etsi_ts/102000_102099/102042/02.04.01_60/ts_102042v020401p.pdf
Hardware Security Module, HSM. http://en.wikipedia.org/wiki/Hardware_security_module
Author information
Authors and Affiliations
Corresponding author
Additional information
Tomas Gustavsson, M.Sc has been researching and implementing PKI systems since 1994. CTO at PrimeKey, founder of open source PKI project EJBCA and committed follower of open standards.
Rights and permissions
About this article
Cite this article
Gustavsson, T. Common Criteria and Open Source. Datenschutz Datensich 38, 226–231 (2014). https://doi.org/10.1007/s11623-014-0096-7
Published:
Issue Date:
DOI: https://doi.org/10.1007/s11623-014-0096-7