Datenschutz und Datensicherheit - DuD

, Volume 38, Issue 4, pp 226–231 | Cite as

Common Criteria and Open Source

Experiences from the certification of an open source product
Schwerpunkt
  • 115 Downloads

Abstract

This article discusses challenges of Common Criteria certification and particularly focuses on Free/Libre Open Source Software (FLOSS). It explains how a Common Criteria certification can be performed for a project and how a certification affects the project and the community around it. Of special interest within the EU are applications for the issuance of Qualified Certificates and Time Stamps by so called Trust Service Providers according to the forthcoming EU regulation.

Anyone considering Common Criteria certification may profit from our experiences during the certification of two Open Source products EJBCA[1] and CESeCore[2], at level EAL 4+, and an understanding how the certification relates to potentially interesting use cases.

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. [1]
  2. [2]
  3. [3]
    About the Common Criteria. http://www.commoncriteriaportal.org/ccra/
  4. [4]
    Free-Libre/Open Source Software (FLOSS) and Software Assurance / Software Security, David A. Wheeler, December 11, 2006. http://www.dwheeler.com/essays/oss_software_assurance.pdf Google Scholar
  5. [5]
    Directive 1999/93/EC of the European Parliament and of the Council of 13 December 1999 on a Community framework for electronic signatures: http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX-:31999L0093:EN:PDF
  6. [6]
    Proposal for a Regulation of the European Parliament and of the Council on electronic identification and trust services for electronic transactions in the internal market: http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=COM:2012:0238:FIN:EN:PDF
  7. [7]
    EN 4 19 221 Security requirements for trustworthy systems managing certificates for electronic signatures.Google Scholar
  8. [8]
    EN 4 19 231 Security requirements for trustworthy systems supporting time-stampingGoogle Scholar
  9. [9]
  10. [10]
    ENISA — European Union Agency for Network and Information Security: http://www.etsi.org/
  11. [11]
    ISO/IEC 15408 Series: Information technology — Security techniques — Evaluation criteria for IT security.Google Scholar
  12. [12]
    List of official Common Criteria Protection Profiles. http://www.commoncriteriaportal.org/pps/
  13. [13]
    CC v3.1 release 4. Part 1: Introduction and general model. http://www.commoncriteriaportal.org/files/ccfiles/CCPART1V3.1R4.pdf
  14. [14]
    CC v3.1 release 4. Common Criteria Evaluation methodology. http://www.commoncriteriaportal.org/files/ccfiles/CEMV3.1R4.pdf
  15. [15]
  16. [16]
    Common Criteria User Forum. http://www.ccusersforum.org/
  17. [17]
  18. [18]
  19. [19]
    USB Portable Storage Device Essential Security Requirements. http://www.commoncriteriaportal.org/files/communities/ESR-USB.v2.0.pdf
  20. [20]
    Standards and Industry Regulations Applicable to Certification Authorities, CA Security Council. https://casecurity.org/wp-content/uploads/2013/04/Standards-and-Industry-Regulations-Applicable-to-Certification-Authorities.pdf
  21. [21]
    Certificate Authority Audits and Browser Root Program Requirements. https://casecurity.org/2013/10/15/certificate-authority-audits-and-browser-root-program-requirements/
  22. [22]
  23. [23]

Copyright information

© Springer Fachmedien Wiesbaden 2014

Authors and Affiliations

  1. 1.StockholmSchweden

Personalised recommendations