Qualified Certificate Request
Anne & Lynn Wheeler
lynn at garlic.com
Fri Jul 22 14:00:47 EDT 2005
Nap van Zuuren wrote:
> Might be a nice (intellectual) crypto-exercise, but I am afraid that the
> concept of the Qualified Signature will not get a widespread
> implementation, expect for very specific areas/disciplines.
>
> The main problem with the Qualified Certificate (overhere in Europe) is the
> fact that the creating components have to obtain - as a minimum - Common
> Criteria EAL4 ( Evaluated -Security- Assurance Level ) qualification; and
> the lack of "card-readers" on User equipment.
i ran into an interesting problem with EAL5-high. basically there
weren't any readily available crypto specification for getting higher
than an EAL4 certification.
most vendors that get higher than an EAL4 certification ... seem to get
it on a bare-bones chip before any applications are added ... and then
subsequently add applications (the fact that applications can be added
might be a security issue in itself). i've found it quite difficult to
figure out how to get a certification for higher than EAL4 when there
are any significant application already existing on the chip ...
especially for crypto; basically as the certification goes higher you
need a much more formal specification for the components to certify
against .... and i've found it difficult to find such formal
specification for crypto operation.
things like fips140-2 level 4 tends to be on the operation of the crypto
box against certifiable hardware operational characteristcs.
i've periodically posted requests in the past about anybody knowing of a
source for EAL5 or higher standards for crypto that can be certified
against.
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list