What is Common Criteria and why is it important?
From the Cloud Signature Consortium to eIDAS, international standards form the bedrock of Ascertia’s digital trust solutions.
Common Criteria (CC) is another example: an international standard for certifying computer security software and hardware.
CC-based evaluations also have an Evaluation Assurance Level or “EAL” rating. The EAL rating defines the degree of trust one can have that the product/solution complies with the requirements in the protection profile. It depends on the level of detail the independent evaluations go to during the evaluation process.
The ultimate goal of Common Criteria is to independently validate claims that a vendor’s security features are valid. Only accredited laboratories can perform Common Criteria evaluations.
How common is Common Criteria?
Established by global governments, the Common Criteria Recognition Arrangement has been signed by 31 countries. Each country recognises the other’s certifications and schemes.
The National Information Assurance Partnership (NIAP) implements the Common Criteria in the United States. This includes managing the NIAP Common Criteria Evaluation and Validation Scheme (CCEVS) validation body. Other countries have their own Common Criteria authorities. Each authority certifies a Common Criteria lab which evaluates products.
Once certified by the authority based on evidence from the lab and the vendor, the certification is recognised globally.
Evaluations are performed to a particular assurance level, which represents the evaluation's strength. Products that require a higher assurance level, such as Evaluation Assurance Level 4 (EAL 4), require far greater testing and scrutiny than a product being evaluated at a lower level.
Greater attention is usually given to the assurance level instead of what is being assured, which is documented within the protection profile. Prospective customers of a secure system should analyse both aspects of the evaluation.
Furthermore, a Common Criteria certification represents a very specific software and hardware configuration. Software versions and hardware models are important and are documented as part of the certification. Differences or changes to these versions will invalidate the certification.
Why is Common Criteria important?
Common Criteria (ISO/IEC 15408) provides formal, global recognition that software vendors' claims about their products' security features are valid and have been independently evaluated against a formal protection profile. This independence is essential for building digital trust.
By following a standard approach, the certification results should be consistent no matter which lab performs the evaluation.
How does Common Criteria apply to Ascertia products?
Historically, Certification Authority (CA) products have been certified against a “Certificate Issuing and Management Components (CIMC)” protection profile. This defined the requirements for components that issue, revoke and manage X509 public key certificates.
However, this CIMC protection profile dates back to 2011 and is not being maintained, so many see the profile as obsolete.
In 2017, National Information Assurance Partnership (NIAP) created the “U.S. Government Approved Protection Profile - Protection Profile for Certification Authorities”. It’s an up-to-date and maintained profile that describes the security requirements for a Certification Authority and supporting infrastructure, including Online Certificate Status Protocol (OCSP).
Ascertia is committed to performing Common Criteria evaluations of its relevant products against latest protections profiles and at higher assurance levels. This is evidenced from Ascertia being the first company globally to achieve CC certificates of its ADSS Server SAM Appliance against the 419 241-2 Common Criteria protection profile at EAL 4+ level, in support of remote signing requirements, including qualified (remote) signatures.
Ascertia refreshed this certification to include the latest features of the ADSS Server SAM Appliance 7.0.2 feature set.
Importantly, Ascertia has just completed Common Criteria certification of ADSS PKI Server. This covers the Ascertia Certification Authority (CA) and Online Certificate Status Protocol (OCSP) Server. The certification was conducted against the latest Protection profile from National Information Assurance Partnership (NIAP).
By using NIAP, we not only chose to use the Common Criteria protection profile to evaluate our CA and OCSP product but also the highest assurance for this evaluation. Others in the industry have evaluated against NIAP at only EAL 1 or EAL 2.
Who is Common Criteria for?
Common Criteria is often mandatory for software used within Government deployments, such as National ID, ePassport, Government Enterprise and other projects where high trust in the system solution components is required.
These highly regulated environments—such as WebTrust-certified TSPs, RSSPs, and enterprises where third-party validation of a product's trustworthiness is mandatory—rely on Common Criteria.
Common Criteria is a signal of trust and should always be sought when considering new products that underpin the security of your company’s digital estate.
Are ADSS Server patches certified?
This is a common question for any provider that has invested in product certification.
With any minor release, customers expect updates to apply to their chosen systems so they can take advantage of new features or resolve bugs or security issues.
Any update to a certified system will immediately invalidate the Common Criteria certification. The certification is against a specific version in a specific configuration, which is why it is an important standard.
At Ascertia, we believe that - where permissible - Common Criteria should be used as a baseline for a product’s deployment.
Common Criteria offers a maintenance procedure to enable the certification of a product to be periodically refreshed. Ascertia is committed to undergoing the maintenance procedure for its certified products periodically, as can be witnessed by our ADSS SAM appliance re-certifications.
Speak to the Ascertia team to learn more about Common Criteria’s role in our products.
