Common Criteria

Global recognition of IT security certificates
The evaluation for the security-related characteristics of practically all information-technical products and systems complies with the "Common Criteria for Information Technology Security Evaluation (CC), currently Version 2.3". To avoid multiple certification, a mutual recognition of IT security certificates - provided they are based on Information Technology Security Evaluation Criteria (ITSEC) at European level or on CC at global level - has been agreed within the framework of an international treaty. This ensures that a certificate issued by the BSI is also recognised in the signatory countries*.

Examination of comprehensive requirements
On the one hand, the functional security requirements are examined against a comprehensive catalogue (for example security protocols, protection of user data, identification and authentication or a trustworthy path) and in conjunction with threats and security targets. On the other hand, specifications relating to trustworthiness, including documentation requirements, are also verified against defined classes (e.g. configuration management, delivery and operation, development, user manuals or testing).

Schedule of all Certification reports for OpenLimit Software (german)

BSI inspects OpenLimit software
The OpenLimit SignCubes Basis Components 2.1 (including the PDF Plugin for Adobe®), as a modular client application, have been tested against these (internationally recognised) criteria for the following security functions by the German Office for Security in Information Technology (BSI) as an internationally acknowledged evaluation authority:

  • Calculation of a hash value and triggering of the generation of electronic signatures with certificates using a card reader and smart card.
  • Verification of hash values and signatures using certificate revocation lists and an optional OCSP query (OCSP = Online Certificate Status Protocol) and time stamp query.
  • Protection against a manipulation of components (modules).
  • Secure display of data that is to be, or has been, signed.
  • Protection against the falsification of hash values.
  • Integrity assurance
  • Processing of OSCP information for certificate verification
  • Usage of time stamps
  • Verification of time stamps

The evaluation of a product by the evaluating authority leads to the preparation of a test report, which in turn forms the basis for the certification report. The examinations are summarised in this report. At the same time, an IT security certificate is issued which is then published together with the certification report and the security specifications for the evaluated product.

The result, in conjunction with the examination of the security functionality of the OpenLimit SignCubes Basis Components 2.1, has demonstrated that the incorporated security functions attain the rating 'high strength'.

In connection with the assessment of the protection offered by OpenLimit software against threats (assuming an aggressor with a high attack potential), a trust rating conformant with EAL 4+ of the CC was established, whereas legislative requirements merely stipulate EAL 3 for signature application components (Annex 1 I. 1.1 d) SigV). The protected objects are a user file (every file that the user considers as being worthy of protection), a signed file (every file that has been signed with an electronic signature to protect against manipulation, for example) and the OpenLimit SignCubes Basis Components 2.1 (a software product generally comprising executable files and data files).

Common Criteria

Relevance for users

  • The reliability of signatures is officially approved.
  • Signatures created with OpenLimit hold the worldwide highest level of security Common Criteria EAL4+.
  • Recipients of signed documents trust in the subscriber's digital signature.

Links

 OpenLimit
 
 
<script>