Datenschutz und Datensicherheit - DuD

, Volume 38, Issue 4, pp 226–231 | Cite as

Common Criteria and Open Source

Experiences from the certification of an open source product


This article discusses challenges of Common Criteria certification and particularly focuses on Free/Libre Open Source Software (FLOSS). It explains how a Common Criteria certification can be performed for a project and how a certification affects the project and the community around it. Of special interest within the EU are applications for the issuance of Qualified Certificates and Time Stamps by so called Trust Service Providers according to the forthcoming EU regulation.

Anyone considering Common Criteria certification may profit from our experiences during the certification of two Open Source products EJBCA[1] and CESeCore[2], at level EAL 4+, and an understanding how the certification relates to potentially interesting use cases.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. [1]
  2. [2]
  3. [3]
    About the Common Criteria.
  4. [4]
    Free-Libre/Open Source Software (FLOSS) and Software Assurance / Software Security, David A. Wheeler, December 11, 2006. Google Scholar
  5. [5]
    Directive 1999/93/EC of the European Parliament and of the Council of 13 December 1999 on a Community framework for electronic signatures:
  6. [6]
    Proposal for a Regulation of the European Parliament and of the Council on electronic identification and trust services for electronic transactions in the internal market:
  7. [7]
    EN 4 19 221 Security requirements for trustworthy systems managing certificates for electronic signatures.Google Scholar
  8. [8]
    EN 4 19 231 Security requirements for trustworthy systems supporting time-stampingGoogle Scholar
  9. [9]
  10. [10]
    ENISA — European Union Agency for Network and Information Security:
  11. [11]
    ISO/IEC 15408 Series: Information technology — Security techniques — Evaluation criteria for IT security.Google Scholar
  12. [12]
    List of official Common Criteria Protection Profiles.
  13. [13]
    CC v3.1 release 4. Part 1: Introduction and general model.
  14. [14]
    CC v3.1 release 4. Common Criteria Evaluation methodology.
  15. [15]
  16. [16]
    Common Criteria User Forum.
  17. [17]
  18. [18]
  19. [19]
    USB Portable Storage Device Essential Security Requirements.
  20. [20]
    Standards and Industry Regulations Applicable to Certification Authorities, CA Security Council.
  21. [21]
    Certificate Authority Audits and Browser Root Program Requirements.
  22. [22]
  23. [23]

Copyright information

© Springer Fachmedien Wiesbaden 2014

Authors and Affiliations

  1. 1.StockholmSchweden

Personalised recommendations