How to prove digital signature compliance with eIDAS
Common Criteria is an international set of guidelines and specifications for evaluating information security products, specifically to ensure they meet an agreed-upon security standard for government deployments. Common Criteria (CC) certification is a pre-requisite for qualified digital signatures under the eIDAS Regulation.
Thales’s IDPrime MD 840 and IDPrime MD 3840 smart cards are both CC EAL5+ / PP Java Card certified for the Java platform and CC EAL5+ / PP QSCD certified for the combination of Java platform plus PKI applet. The CC EAL5+ / PP QSCD certification is based on the Protection Profiles EN 419211 parts 1 to 6, as mandated by eIDAS Regulation.
Hardware security modules (HSMs)
The Thales Luna Hardware Security Module (HSM) v.7.7.0, is certified in accordance with Common Criteria (CC) at EAL4+ level against the electronic IDentification, Authentication and Trust Services (eIDAS) Protection Profile (PP) EN 419 221-5. Luna HSM 7 has also received eIDAS certification as both a Qualified Signature and Qualified Seal Creation Device (QSCD). In addition, the Luna HSM (generations 6 and 7) has already achieved multiple certifications as a standalone QSCD or as part of a composite QSCD with various remote signing solution vendors from the conformity assessment bodies (CAB) in Austria, Italy and Spain (in accordance with Article 30.3.b [Alternative Processes]). These certifications provide Thales customers and partners within and outside Europe with the highest levels of assurance and conformity for seamless cross border electronic identification and trust services.
Qualified Trust Service Providers (QTSP)s as well as public or private companies that issue digital certificates and provide local or remote digital signatures and seals (advanced and qualified), timestamp, electronic delivery, and website authentication services, can now use Luna HSM 7 as a part of their eIDAS-compliant solution. QTSPs can also issue qualified certificates for customers using on-premises Luna HSM 7 for eIDAS QSCD purposes.
Both cloud-based and on-premises HSM solutions comply with eIDAS, but the HSM employed must be certified as a QSCD device. In remote work environments users and applications must be able to access digital signature keys whenever and wherever they are needed. HSMs are used to manage and protect the private signing keys of signatories, without the signatory being in possession of the key (as is the case when smartcards are used). As such, HSMs facilitate the creation of mutually binding legal documents across all EU/EEA member states.
These keys are maintained in the TSP environment (yet controlled by the HSM), which is certified by an accredited national body. For the secure execution of their operations and services, TSPs deploy and maintain the required HSMs to be used as qualified devices for electronic signature creation. Essentially, these HSMs act as a root of trust.
Why you need a Luna HSM
Electronic signatures, electronic seals, high-volume code signing, and other sensitive cryptographic operations require high-throughput performance. Furthermore, Luna HSMs are designed to protect sensitive key material for its entire lifecycle, regardless of the environment. In addition, a broad partner ecosystem enables organizations to secure many mainstream and specialized applications.
As eIDAS certified devices, Luna Network and PCIe card HSMs provide the strong performance, high-assurance key protection, and centralized administration/monitoring of crypto operations required for eIDAS compliant electronic signatures, seals and other trust services. As the market leader, Thales’ Luna HSM is the foundation of trust for enterprise and government organizations worldwide.