QSCD
Certification as a qualified electronic signature creation device or qualified seal creation device according to Art. 30, par. 3 of the eIDAS Regulation. SRC is your eIDAS certification body.
SRC supports you in the certification of cards, HSMs and other hardware components as Qualified Signature/Seal Creation Device (QSCD).
Conformity assessment for modules
We support you in the conformity assessment in accordance with the requirements of Regulation (EU) No. 910/2014 of partial services (e.g. identification) and its organisation, in order to enable the integration of the partial service into qualified trust services.
Trust services
We support you in the qualification of your services and your organisation by the designated supervisory body. SRC carries out conformity assessments according to the requirements of Regulation (EU) No. 910/2014.
QSCD
Certification as a qualified electronic signature creation device or qualified seal creation device according to Art. 30, par. 3 of the eIDAS Regulation. SRC is your eIDAS certification body.
SRC supports you in the certification of cards, HSMs and other hardware components as Qualified Signature/Seal Creation Device (QSCD).
In detail …
Signatures and company seals are critical for security
The provision of a signature or the creation of a company seal are security-critical processes, the forgery of which can have unpleasant consequences for all parties involved, may involve a high monetary loss or cause significant damage to the reputation of a provider. For products used for the generation of the technical counterparts of signatures and seals, qualified electronic signatures and qualified electronic seals, the legislator has therefore defined an approval procedure with correspondingly high security requirements in the eIDAS regulation.
Certification according to Art.30, par. 3 of the eIDAS Regulation
The “eIDAS certification body” of SRC is able to certify a product in combination with or based on an existing evaluation according to Common Criteria as a qualified electronic signature creation device or seal creation device (QSCD) according to Art. 30, par. 3 of the eIDAS Regulation.
Application of security requirements
In this context, security requirements (Protection Profiles) shall be applied to products which are listed in the “Commision Implementing Decision (EU) 2016/650 of 25 April 2016 laying down standards for the security assessment of qualified signature and seal creation devices pursuant to Art. 30 par. 3 and article 39, par. 2 of Regulation (EU) No 910/2014 of the European Parliament and of the Council on electronic identification and trust services for electronic transactions in the internal market” (Art. 30, par. 3 (a)).
SRC has notified an assessment procedure to the EU Commission
Alternatively, the eIDAS Regulation allows the use of alternative test methods provided that equivalent safety levels are applied and the test method has been notified to the EU Commission (Art. 30, par. 3 (b)). As the above mentioned implementing decision (EU) 2016/650 does not list Protection Profiles containing security specifications for QSCDs for use by a trusted service provider, SRC has notified a test procedure “Certification of the conformity of QSCDs for server-signing with the requirements laid down in Annex II of Regulation (EU) No. 910/2014” for the certification of QSCDs for use in the context of remote signatures to the EU Commission (see Dashboard of EU Commission).
SRC certifies your products
SRC Security Research & Consulting GmbH has been designated by the Federal Network Agency for Electricity, Gas, Telecommunication, Post and Railway as “eIDAS Certification Body” according to Art. 30, par. 1 of the eIDAS Regulation.
We are pleased to offer you the opportunity to use the expertise and extensive experience of our independent experts for the certification of your product as a qualified signature and/or seal creation device.
The EU Commission publishes and updates lists of notified “eIDAS Certification Bodies” and QSCDs as well as all currently notified alternative testing methods.
In detail …
Conformity assessments in accordance with the requirements of Regulation (EU) No 910/2014 can also be carried out for sub-services of a trust service in order to avoid repeated testing of sub-services used in different qualified trust services. One such service is, for example, the identification of natural persons, which is provided by an identification service provider. The successful conformity assessment of this sub-service can subsequently be used for the conformity assessment of a trust service, e.g. for the generation of qualified certificates for electronic signatures. The conformity assessment body of SRC supports the assessment of sub-services or so-called “modules”.
Conformity assessment for modules
We support you in the conformity assessment in accordance with the requirements of Regulation (EU) No. 910/2014 of partial services (e.g. identification) and its organisation in order to enable the integration of the partial service into qualified trust services.
Trust services
We support you in the qualification of your services and your organisation by the designated supervisory body. SRC carries out conformity assessments according to the requirements of Regulation (EU) No. 910/2014.
In detail …
Trust services: Qualified signatures and seals
With the introduction of the eIDAS Regulation, European Union legislation has redefined the requirements for the qualified electronic signature, the digital replacement of the handwritten signature. In addition, the possibility of a qualified electronic seal has been created, with which the authenticity of sealed data can be proven to third parties by a company or organisation (legal entity). Services (trust services) can be established around the generation and use of qualified signatures and seals, which can be granted the status “qualified” after a successful conformity assessment.
Conformity assessment with review of documentation and audit
The conformity assessment for you as a trusted third party service provider is carried out in two steps: a review of documentation and an on-site audit to verify whether the documented security mechanisms have been implemented correctly. A more detailed description of the procedure and the applicable security requirements from legislation and relevant standards can be found in the associated certification programme. The conformity assessment is performed by SRC, the status is granted by the responsible supervisory body. In Germany these are the BSI (qualified certificates for website authentication) and the Federal Network Agency (all other services).
SRC is accredited by the DAkkS as a conformity assessment body.
In order to carry out such an assessment, SRC, as the examining body, must also prove its expertise and independence in an accreditation procedure. National conformity assessment bodies are accredited by the Deutsche Akkreditierungsstelle (DAkkS).
We are pleased to offer you the possibility to fall back on the expertise and experience of our independent security experts for the conformity assessment of your trusted service.
The trust services in detail…
Creation of qualified certificates for electronic signatures
The qualified trust service for the creation of qualified certificates according to Article 28 of Regulation (EU) No 910/2014 (eIDAS Regulation) includes the creation, issuance and administration of qualified certificates for the creation of (qualified) signatures. It can be offered with the option to manage the signature creation data (the private key) on behalf of the signatory (remote signatures). The use of a qualified signature creation device (QSCD) is mandatory for creating qualified signatures. For this purpose, a signature card can be delivered to the signatory or the QSCD is hosted by the trusted service provider (remote signatures). The conformity assessment is based on the requirements of the eIDAS Regulation and the requirements of the standards ETSI EN 319 401 and ETSI EN 319 411-2 / -1. In the case of remote signatures, the requirements of the standard CEN EN 419 241-1 are also included in the assessment.
Creation of qualified certificates for electronic seals
The qualified trust service for the creation of qualified certificates according to Article 38 of Regulation (EU) No. 910/2014 (eIDAS Regulation) includes the creation, issuance and administration of qualified certificates for the creation of (qualified) seals. It can be offered with the option to manage the seal creation data (the private key) on behalf of the seal creator (remote seal). The use of a qualified seal creation unit (QSCD) is mandatory for the creation of qualified seals. For this purpose, a seal creation unit can be delivered to the seal manufacturer or the QSCD is hosted by the trusted service provider (remote seal). The performance of the conformity assessment is based on the requirements of the eIDAS Regulation and the requirements of the standards ETSI EN 319 401 and ETSI EN 319 411-2 / -1. In the case of remote signatures, the requirements of the standard CEN EN 419 241-1 are also taken into account for the assessment.
Creation of qualified certificates for website authentication
This qualified trust service includes the creation, issuance and management of qualified certificates for website authentication (QWAC) in accordance with Article 45 of Regulation (EU) No 910/2014 (eIDAS Regulation). The conformity assessment is based on the requirements of the eIDAS Regulation and the requirements of the standards ETSI EN 319 401 and ETSI EN 319 411-2 / -1.
Creation of qualified electronic time stamps
This qualified trust service includes the creation of qualified electronic time stamps in accordance with the requirements of Article 42 of Regulation (EU) No 910/2014 (eIDAS Regulation). Qualified electronic time stamps are subject to the presumption of the accuracy of the date and time indicated therein and the integrity of the data associated with the date and time. They serve as proof that the data were present at a given date and time. The conformity assessment is based on the requirements of the eIDAS Regulation and the requirements of the standards ETSI EN 319 401 and ETSI EN 319 421.
Electronic registered delivery service
This qualified confidential service includes the service of electronic registered delivery in accordance with the requirements of Article 44 of Regulation (EU) No 910/2014 (eIDAS Regulation). Electronic registered delivery ensure the identification of sender and recipient. The sending and receiving of data is secured at least by an advanced signature or seal of a trusted service provider and includes qualified electronic time stamps to indicate the date and time of sending and receiving. The conformity assessment is based on the requirements of the eIDAS Regulation and the requirements of the standards ETSI EN 319 401 and ETSI EN 319 521 (Electronic Registered Delivery Services) or the standard ETSI EN 319 531 (Policy and security requirements for Registered Electronic Mail Service Providers) if the implementation is based on the use of e-mail.
Validation service for qualified electronic signatures
The qualified validation service referred to in Article 33 of Regulation (EU) No 910/2014 (eIDAS Regulation) involves the implementation of the validation of qualified electronic signatures in accordance with Article 32(1) of the eIDAS Regulation. The result of the validation has to be transmitted to the relying parties together with a confirmation by means of an advanced electronic signature or an advanced electronic seal of the provider of the validation service. The conformity assessment is based on the requirements of the eIDAS Regulation and the requirements of the ETSI EN 319 401 standard and the technical specification ETSI TS 119 441 (Policy Requirements for TSP providing signature validation services).
Validation service for qualified electronic seals
The qualified validation service in accordance with Article 40 (in conjunction with Article 33) of Regulation (EU) No. 910/2014 (eIDAS Regulation) includes the implementation of the validation of qualified electronic seals. The result of the validation is to be transmitted to the relying parties together with a confirmation by means of an advanced electronic signature or an advanced electronic seal of the provider of the validation service. The conformity assessment is based on the requirements of the eIDAS Regulation and the requirements of the ETSI EN 319 401 standard and the technical specification ETSI TS 119 441 (Policy Requirements for TSP providing signature validation services).
Preservation services for qualified electronic signatures
The qualified preservation service for qualified electronic signatures pursuant to Article 34 of Regulation (EU) No 910/2014 (eIDAS Regulation) provides the extension of the trustworthiness of qualified signatures beyond the period of their technological validity. The conformity assessment is based on the requirements of the eIDAS Regulation and on the requirements of the ETSI EN 319 401 standard and the Technical Specification ETSI TS 119 511 (Policy and security requirements for trust service providers providing long-term preservation of digital signatures or general data using digital signature techniques).
Preservation services for qualified electronic seals
The qualified preservation service for qualified electronic seals pursuant to Article 40 (in conjunction with Article 34) of Regulation (EU) No. 910/2014 (eIDAS Regulation) provides the extension of the trustworthiness of qualified seals beyond the period of their technological validity. The conformity assessment is based on the requirements of the eIDAS Regulation and the requirements of the standard ETSI EN 319 401 and the Technical Specification ETSI TS 119 511 (Policy and security requirements for trust service providers providing long-term preservation of digital signatures or general data using digital signature techniques).