Ascertia announces that it initiated a Common Criteria EAL4+ certification several months ago for its remote signing solution in a drive to be the first to deliver a Remote Qualified Signature Creation Device (QSCD) based on the EN 419 241-2 Protection Profile.
25 January 2018 – London, UK – Ascertia Limited, a global provider of advanced digital signature and PKI Trust service solutions, announced today that, having been conducting a Common Criteria evaluation of its ADSS Server remote signing solution for several months, the company expects to be one of the first companies globally to achieve this certification.
Under the new EU eIDAS Regulation it is possible for users to electronically sign documents with their signature keys held remotely by Trust Service Providers (TSPs), a process referred to as remote signing or informally as cloud signing. This is opposed to the user holding the signing key locally on a smartcard or USB token. Remote signing has many benefits including the ability for users to sign documents from any device with just an Internet connection, avoiding the need for specialist tokens, hardware readers and associated software.
According to eIDAS however, to reach “Qualified Electronic Signature” level and achieve the highest trust and legal acceptance across Europe, Qualified Trust Service Providers must manage user keys securely in their audited data centres inside remote Qualified Signature Creation Devices (QSCD).
Liaquat Khan, Technical Director at Ascertia, stated, “eIDAS requires that the remote QSCD must be trustworthy, that is, having been independently evaluated and certified. However, up to now there have been no common standards for evaluating such devices and vendors have adopted ad-hoc approaches, leading to much confusion in the market. To overcome this, the European standards body CEN has defined a formal standard for remote QSCD in EN 419 241-2. This is in the form of a Protection Profile such that products can undergo an independent Common Criteria evaluation against this standard.”
Khan continued, “We are proud to have been the first to initiate the Common Criteria certification of our ADSS Server Signature Activation Module (SAM) appliance back in September 2017. We are announcing this now to demonstrate our commitment to high-trust remote signing and our expectation to be the first in the market with a device which is certified under the EN 419 241-2 Protection Profile.”
The Ascertia ADSS Server SAM appliance is a tamper-protected hardware device with an embedded Hardware Security Module (HSM) for cryptographic processing and key management, which is certified under Common Criteria Protection Profile EN 419 221-5. This ensures a completely trusted end-to-end solution that meets eIDAS compliance at all levels.
Rod Crook, Solutions Director at Ascertia, explained, “This is an important step in Ascertia’s commitment to the Qualified TSP market in Europe, and further afield, as it proves the trustworthiness of our remote signing solution. The ADSS Server SAM appliance will be available as part of our ADSS Server based solutions and as part of our SigningHub product. SigningHub will provide a world-class combination of user friendly document review, signing and workflow features together with high-trust remote Qualified Electronic Signature creation and verification.”
“The Common Criteria EAL4+ certification will give our customers independent, third-party assurance that our ADSS Server SAM appliance can meet the highest standards and compliance requirements of eIDAS, and shows that it can support the unique demands of public, private and qualified Trust Service Providers (TSPs). It also demonstrates Ascertia’s commitment to software design, development and testing processes that guarantee the security and quality of our products,” Crook added.
Ascertia has commissioned OCSI (Italian Computer Security Certification Body) to perform the required audit. Details can be found here: http://www.ocsi.isticom.it/index.php/elenchi-certificazioni/in-corso-di-valutazione.