EIDAS 2.0 – Cybersecurity Requirements for Remote Digital Signatures as a Service (M13b)
With the adoption of the European Regulation eIDAS 2.0, a legal framework of requirements for electronic signatures is established, introducing the notion of electronic signatures created using a remote signature creation device (rQSCD).
To ensure that such remotely created digital signatures receive the same legal recognition as digital signatures created in a fully user-managed environment (e.g., using smart cards), providers of remote signature services should implement management and security procedures and use trusted systems, products, and secure electronic communication channels to ensure a reliable server signature environment and that signature keys are used with a high level of trust, under the sole control of the signatory.
This talk will analyze the security requirements for the remote signature creation devices for them to be considered rQSCDs meeting the requirements of the eIDAS regulation. These requirements are specified as protection profiles published as state-of-the-art documents in EUCC for the different components (the Signature Activation Module – SAM and the HSM) that make up the rQSCD.
The Signature Activation Module (SAM) must ensure that the signatory has exclusive control of their signature keys. The certification of this component is based on a specific protection profile which is currently subject to possible interpretations on how to apply it in the evaluation environment. This talk will also analyze the different configuration options and possible interpretations for the scope of the evaluation of the SAM. There are open issues that leave it up to the labs and CBs to interpret how to approach the evaluation and the scope of the TOE testing.