Re: [dss-dev] DSS services and European Signature law

[Andreas Kuehne <kuehne@trustable.de>]

Hi Pim,

as this is a difficult topic I used Detlef as my backup expert ;-)
Detlef confirmed my quick guess that each an every component of a 
DSS-based SSCD needs to evaluated on its own. Usually that's would 
require an evaluation of a hardware component ( hopefully a smartcard 
with a testimonial ) and the software artifacts. But an EAL 4+ 
evaluation of a software component would be extremely expensive and 
would need a re-evaluation with every minor release .. would presume 
this to be overkill.

Don't think that's a way to ...

Greetings

Andreas

----- Original Message ----
From: Pim van der Eijk <lists@sonnenglanz.net>
To: Andreas Kuehne <kuehne@trustable.de>; dss-dev@lists.oasis-open.org
Cc: veit@trustable.de
Sent: Thursday, February 7, 2008 4:15:09 PM
Subject: RE: [dss-dev] DSS services and European Signature law


Hello Andreas,

Thanks a lot for your response.  You are right that there are many more
issues to consider to be able to state whether or not a DSS 
implementation
meets EAL 4+.  To rephrase my question, more precisely, assume we have 
some
device that is certified to meet the requirements of CWA 14169 that has 
a
"trusted path" to a local user interface. For instance, it could be a
hardware device that uses the keyboard and monitor of a computer as 
user
interface.  Now assume an alternative device that is similar in all 
ways
except that it can be accessed from remotely using DSS.  Would this 
device
qualify as an SSCD?

Pim


___________________________________________________
Andreas Kühne
phone: +49 177 293 24 97
mailto: kuehne@trustable.de


Trustable Ltd.
Niederlassung Deutschland
Ströverstr. 18 - 59427 Unna
Amtsgericht Hamm HRB 5868

Directors
Andreas Kühne
Heiko Veit

Company UK
Company No: 5218868
Registered in England and Wales