Common Criteria Certification, history and future

PrimeKey is currently in the process of our second common criteria certification of our software, as well as FIPS certification of hardware. Since our first common criteria certification in 2012 we have gained much experience on the benefits and drawbacks of the certification process and results.

The software we have certified is EJBCA, our enterprise certification authority software which is used world-wide to issue billions of certificates. An interesting aspect from a certification point of view is that the product is Open Source.

Why certify?

Certification has been used over the years in a several contexts:

• Public tenders, world-wide, often either requires or gives advantage to common criteria certified products.
• The digital signature law in certain countries mandates common criteria certified software.
• Performing an audit such as eIDAS or WebTrust becomes easier with a certified product. Although the audit standards do not require common criteria certification, some of the audit requirements are easily checked off by the certification and accompanying documentation.
• From a marketing and branding perspective a common criteria certification is beneficial to PrimeKey and EJBCA.

A summary of our experiences after living with a certified product for six years is that we are in general happy with the certification and it has resulted in benefits for our products:

• Higher quality per issue developed, albeit at the cost of slightly slower development
• A well defined an tested security audit log
• Some re-usable documentation

A better product

We have also made use of the certification process to improve our internal processes:

• A development process that has security as a priority and protects the integrity of the source code
• A release and delivery process that ensures the integrity of the delivered product

In general it results in more trustworthy products. We also found that there are no problems as such certifying an open source product, although an open source project may need to make some adjustments to processes and source code repository in order to ensure secure life cycle management and integrity at all steps.

Common misunderstandings

The most troublesome aspects of common criteria when applied in practice is when common criteria is used as requirements in procurement and audits. What we find to be the two most common misunderstandings are:

• That only a certified version of a product should be used, which is not the case. Especially since common criteria is a very long process, newer, better and more secure versions of the software are available even before the final common criteria certificate is issued. Newer, more secure, versions should be used. The certified version is the trusted base.
• Confusion related to what an audit is versus a certification. The certification looks at specific product requirements, while an audit looks at the installed and operated solution. The audit includes personnel controls, physical protection and similar aspects which are deployment specific. The product features is only a small part of an audit, and in this area the certification can help.

New and improved Protection Profile

A common criteria certification is most often performed to show compliance with a Protection Profile, which is a requirement document created by a user group or government. A Protection Profile ensures that all products of a certain type, such as certificate authority software, certified against the same requirements and can be compared. Performing our new certification now in 2018 forced us to make a choice as there are currently two different types of certifications. There are traditional EAL based certifications, which is what we did in 2012, and there is a newer non-EAL based certification. After much consideration we decided to select the newer non-EAL based certification using the Protection Profile for Certification Authorities, which is a protection profile approved by the US certification body NIAP. This certification is more test focused, and we expect this to give new benefits to our products as it undergoes rigorous testing of security funcitonality. The new lightweight certification process is also set out to create less documentation that is never used and just sits and collects dust. We are looking forward to our updated certification and to work with the common criteria community to further enhance the certification experience for all parties involved.

Want to know more about our view on Open Source?

PrimeKey’s vision is a world where the internet is a secure place for sensitive information and communication. For this to become true, IT security needs to be available to all. Through Open Source solutions, we come one step closer to this vision. Open Source