Common Criteria

The Common Criteria for Information Technology Security Evaluation (Common Criteria or CC) is an international standard for computer security certification.

A Common Criteria certification is often performed to show compliance with a Protection Profile (PP), which is a requirement document created by a user group or government. The Protection Profile ensures that all products of a certain type, such as certificate authority software, are certified according to the same requirements and that they are comparable.

The Common Criteria for Information Technology Security Evaluation and its companion, Common Methodology for Information Technology Security Evaluation (CEM), make up the technical basis for an international agreement, the Common Criteria Recognition Arrangement (CCRA). The CC is the driving force for the widest available mutual recognition of secure IT products. Though each country has its own certification process, the CCRA recognizes evaluations against a collaborative Protection Profile (cPP), meaning all member countries will acknowledge these certifications.

EJBCA Enterprise Certification

The previous Common Criteria certification of EJBCA Enterprise was performed in 2012. The certification was conducted using the CIMC protection profiles with the following conformance claims:

  • Issuing and Management Components (CIMC) Security Level 3 Protection Profile, Version 1.0, October 31, 2001.
  • Evaluation Assurance Level 4 augmented with ALC_FLR.2.

The certificate was issued on the 4th of October 2012, with certificate number ANSSI-CC-2012/47.

Ongoing Certification

A new Common Criteria certification of EJBCA Enterprise is currently in process. Common Criteria has evolved following the last EJBCA certification and the new type of Collaborative Protection Profiles (cPP) has emerged, the conformance claims have been updated according to the following:

  • Protection Profile for Certification Authorities, Version 2.1, 2017-12-01, National Information Assurance Partnership.

 For more information on certification using Collaborative Protection Profiles (cPP), see Common Criteria Evaluation below.

Certification Status

A common criteria certification includes the following stages:

  • Creation of the Security Target Completed March 2019
  • Approval of the certification with the Certification Body Completed May 2019, see the CSEC Progress page
  • Lab Evaluation (testing) Ongoing
  • Lab report
  • Certification by the Certification Body

Since there are no set times for the final stage of the process Certification by the Certification Body, an exact estimate of the issuance of the certificate cannot be made. If the final steps go according to plan, depending on the Certification Authority's backlog, a certificate can be issued by the beginning of 2020.

Common Criteria Evaluation

Common Criteria evaluations have traditionally been performed against a set of Evaluated Assurance Levels (EALs). The assurance levels reflect added assurance requirements that must be met to achieve Common Criteria certification. Note that the EAL levels indicate to what extent the product was tested and not that the product itself is more secure.

EAL based evaluations have been criticized for being time-consuming while modern software systems are progressing rapidly, which can lead to a software version already becoming outdated when the Common Criteria certificate is finally issued. In response, Common Criteria has introduced the collaborative Protection Profile (cPP) based approach to provide achievable, repeatable, testable evaluation results and facilitate easier comparison among certified products.

The restructuring of the certification approach means that when certifying a product against most cPPs there are no EALs defined. Note that when reviewing a specification of an ongoing cPP evaluation, the assurance package is typically specified in the format "EAL 1 ASE_SPD.1". If you are used to traditional Protection Profiles, the format can easily be misinterpreted as indicating a low level, while it is the exact level specified in the collaborative Protection Profile. Currently, both EAL and non-EAL based evaluations are being performed, causing confusion in the market. For more information, refer to Common Criteria for Information Technology Security Evaluation.

Common Criteria for PKI Products

For PKI products, Common Criteria certification can be of help in certain audits but is rarely a formal requirement by legislation,  and local requirements may apply.

The United States currently promotes cPP based evaluations and not EAL based CC evaluations. Being certified against a cPP is a requirement for a product to be on the Commercial Solutions for Classified Program (CSfC) list, required for some governmental use.

Other national evaluation schemes, are phasing out EAL based evaluations and only accept products for evaluation that claim strict conformance with an approved PP.

In the EU, the Cybersecurity Act will define future certification requirements, which will be the basis for requirements for certain governmental use.