C012 Certification Report

Transcription

1 C012 Certification Report etrust Certificate Management System version 3.5 File name: Version: v1a Date of document: 19 April 2011 Document classification: For general inquiry about us or our services, please

2

3 C012 Certification Report etrust Certificate 19 April 2011 ISCB Department CyberSecurity Malaysia Level 8, Block A, Mines Waterfront Business Park, No 3 Jalan Tasik, The Mines Resort City Seri Kembangan, Selangor, Malaysia Tel: Fax: Page i of ix

4 Document Authorisation DOCUMENT TITLE: DOCUMENT REFERENCE: ISSUE: C012 Certification Report - etrust Certificate v1a DATE: 19 April 2011 DISTRIBUTION: UNCONTROLLED COPY - FOR UNLIMITED USE AND DISTRIBUTION Page ii of ix

5 Copyright Statement The copyright of this document, which may contain proprietary information, is the property of CyberSecurity Malaysia. The document shall be held in safe custody. CYBERSECURITY MALAYSIA, 2011 Registered office: Level 8, Block A, Mines Waterfront Business Park, No 3 JalanTasik, The Mines Resort City, Seri Kembangan Selangor Malaysia Registered in Malaysia Company Limited by Guarantee Company No U Printed in Malaysia Page iii of ix

6 Forward The Malaysian Common Criteria Evaluation and Certification (MyCC) Scheme has been established under the 9 th Malaysian Plan to increase Malaysia s competitiveness in quality assurance of information security based on the Common Criteria (CC) standard and to build consumers confidence towards Malaysian information security products. The MyCC Scheme is operated by CyberSecurity Malaysia and provides a model for licensed Malaysian Security Evaluation Facilities (MySEFs) to conduct security evaluations of ICT products, systems and protection profiles against internationally recognised standards. The results of these evaluations are certified by the Malaysian Common Criteria Certification Body (MyCB) Unit, a unit established within Information Security Certification Body (ISCB) Department, CyberSecurity Malaysia. By awarding a Common Criteria certificate, the MyCB asserts that the product complies with the security requirements specified in the associated Security Target. A Security Target is a requirements specification document that defines the scope of the evaluation activities. The consumer of certified IT products should review the Security Target, in addition to this certification report, in order to gain an understanding of any assumptions made during the evaluation, the IT product's intended environment, its security requirements, and the level of confidence (i.e., the evaluation assurance level) that the product satisfies the security requirements. This certification report is associated with the certificate of product evaluation dated 19 April 2011, and the Security Target (Ref [6]). The certification report, Certificate of product evaluation and security target are posted on the MyCC Scheme Certified Product Register (MyCPR) at Reproduction of this report is authorized provided the report is reproduced in its entirety. Page iv of ix

7 Disclaimer The Information Technology (IT) product identified in this certification report and its associate certificate has been evaluated at an accredited and licensed evaluation facility established under the Malaysian Common Criteria Evaluation and Certification (MyCC) Scheme (Ref [4]) using the Common Methodology for IT Security Evaluation, version 3.1 revision 3 (Ref [3]), for conformance to the Common Criteria for IT Security Evaluation, version 3.1 revision 3 (Ref [2]). This certification report and its associated certificate apply only to the specific version and release of the product in its evaluated configuration. The evaluation has been conducted in accordance with the provisions of the MyCC Scheme and the conclusions of the evaluation facility in the evaluation technical report are consistent with the evidence adduced. This certification report and its associated certificate is not an endorsement of the IT product by CyberSecurity Malaysia or by any other organisation that recognises or gives effect to this certification report and its associated certificate, and no warranty of the IT product by CyberSecurity Malaysia or by any other organisation that recognises or gives effect to this certificate, is either expressed or implied. Page v of ix

8 Document Change Log RELEASE DATE PAGES AFFECTED REMARKS/CHANGE REFERENCE v1 11 April 2011 All Final Released. v1a 19 April 2011 Page iv Add the date of the certificate. Page vi of ix

9 Executive Summary etrust Certificate (hereafter referred as etrust CMS) from evault Technologies Sdn Bhd is the Target of Evaluation (TOE) for this Evaluation Assurance Level (EAL) 2 evaluation. etrust CMS is a web based frontend to the Microsoft Certification Authority (CA) services. etrust CMS provide separation of roles in the management of certificates from creation to revocation and recovery, as appropriate for the organisation. There are two subsystems in etrust CMS that are included in the scope of the evaluation: etrust CMS Website hosted behind the second firewall in the corporate network. It is used by the internal authorised officer to manage the certificate lifecycle; and etrust CA Portal it is use by the applicant over the Internet to download their certificate and root certificate. Database, Directory (Certificate & CRL Repository) manages by Microsoft CA, hardware, and Operating System (including Microsoft Certificate Authority and Hardware Security Module (HSM)) are not part of the TOE. However, their services are essential to the operation of the TOE. The scope of the evaluation is defined by the Security Target (Ref [6]), which identifies assumptions made during the evaluation, the intended environment for etrust CMS, the security requirements, and the evaluation assurance level at which the product is intended to satisfy the security requirements. Consumers are advised to verify that their operating environment is consistent with that specified in the security target, and to give due consideration to the comments, observations and recommendations in this certification report. This report describes the findings of the IT security evaluation of etrust CMS, to the Common Criteria (CC) evaluation assurance level of EAL 2 and that the evaluation was conducted in accordance with relevant criteria and the requirements of the Malaysia s Common Criteria Certification (MyCC) Scheme. The evaluation was performed by CyberSecurity Malaysia Security Evaluation Facilities (MySEF). The evaluation was completed on 19 November 2010 and some minor changes in the Evaluation Technical Report (ETR) received on 5 April 2011 based on the final review of the ETR. Malaysian Common Criteria Certification Body (MyCB), as the MyCC Scheme Certification Body, declares that the etrust CMS evaluation meets all the conditions of the Arrangement on the Recognition of Common Criteria Certificates and that the product will be listed on the MyCC Scheme Certified Products Register (MyCPR) at It is the responsibility of the user to ensure that the etrust CMS meets their requirement and security needs. It is recommended that prospective users of the etrust CMS refer to the ST (Ref [6]), and read this Certification Report prior to deciding whether to purchase and deploy the product. Page vii of ix

10 Table of Contents 1 Target of Evaluation TOE Description TOE Identification Security Policy TOE Architecture Clarification of Scope Assumptions Evaluated Configuration Delivery Procedures Documentation Evaluation Evaluation Analysis Activities Life-cycle support Development Guidance documents IT Product Testing Results of the Evaluation Assurance Level Information Recommendation Annex A References A.1 References A.2 Terminology A.2.1 Acronyms A.2.2 Glossary of Terms Index of Tables Table 1: TOE Identification... 1 Page viii of ix

11 Table 2: Independent Functional Testing... 9 Table 3: List of Acronyms Table 4: Glossary of Terms Index of Figures Figure 1: Subsystem of the TOE... 3 Page ix of ix

12

13 1 Target of Evaluation 1.1 TOE Description 1 The Target of Evaluation (TOE), etrust Certificate (hereafter referred as etrust CMS) is a role-based access control system on top of the Microsoft Certification Authority (CA) service and associates services. etrust CMS provide separation of roles in the management of certificates from creation to revocation and recovery, as appropriate for the organisation. 2 There are two subsystems in etrust CMS that are included in the scope of the evaluation: a) etrust CMS Website is used by the internal authorised officer, based on the assigned roles and rights, to manage the certificate lifecycle. This includes perform initial configuration of etrust CMS based on data provided during software setup, to verify the integrity of the database, to schedule backups of the database, and to perform exceptional PKI-management events such as PKI key recovery. b) etrust CA Portal allows users internally or externally download their respective certificates that are generated by the authorised officer. Depending on the organization policy, the certificate holder s keys and certificate can be backed up (also known as key escrow). A user can also request for key recovery through etrust CA Portal. 3 etrust CMS distinguishes between administrators with various rights and the endusers. The detail roles and rights in etrust CMS is described in Section of the Security Target Ref [6]). 1.2 TOE Identification 4 The details of the TOE are identified in Table 1 below. Table 1: TOE Identification Scheme Project Identifier TOE Name Malaysian Common Criteria Evaluation and Certification (MyCC) Scheme C012 etrust Certificate Management System TOE Version version 3.5 Security Target Title etrust Certificate Management System Version 3.5 Security Target Security Target Version v1.0 Security Target Date 10 November 2010 Assurance Level Evaluation Assurance Level 2 (EAL2) Page 1 of 15

14 Criteria Common Criteria July 2009, Version 3.1, Revision 3 Methodology Protection Profile Conformance Common Criteria Conformance Common Methodology for Information Technology Security Evaluation, July 2009, Version 3.1 Revision 3 None CC Part 2 Conformant CC Part 3 Conformant Package conformant to EAL2 evault Technologies Sdn Bhd 1st Floor, Block G, Excella Business Park, Sponsor and Developer Jalan Ampang Putra, Taman Ampang Hilir, Kuala Lumpur, Malaysia Evaluation Facility CyberSecurity Malaysia MySEF 1.3 Security Policy 5 etrust CMS implements security policy listed below: a) Access control policy - etrust CMS controls access to all etrust system data associated with operations initiated by any etrust operator. Only administrators or authorised users with the right assigned to them to issue, revoke, and recover certificates can do the operations of issuing, revoking, recovering, and exporting the certificates and associated data. 6 The detail of the access control policy is described in Section 8 of the Security Target (Ref [6]). 7 The primary administrators of etrust CMS, known as Security Officers, are responsible to assign the rights, requiring access to the Officer Group Policy Setup Screen for the role definitions and/or the Officer Policy Setup Screen for the assignment of Officer to roles. 1.4 TOE Architecture 8 etrust CMS Security Target defines clearly both logical and physical boundaries. 9 Figure 1 illustrates the architecture of the TOE logical boundary in terms of subsystem. Page 2 of 15

15 Figure 1: Subsystem of the TOE 10 The TOE consists of two subsystems: etrust CMS Website, and etrust CA Portal as described below: a) etrust CA Portal subsystem - is used to handle the certificate download by the applicant over the Internet. During certificate issuance on etrust CMS an Authentication Code is generated and to the certificate holder to be used for future certificate download on etrust CA Portal at later stage. The CA Portal module allows users internally or externally download their respective certificates that are generated by the authorized officer. Notification is sent to the users via to inform them to log on to the CA portal and download their certificate to the desktop/laptop. b) etrust CMS Website subsystem - etrust CMS Website (comprised of a Web GUI), is used to manage certificate lifecycle by authorized officers. That is, to perform initial configuration of etrust CMS based on data provided during software setup, to verify the integrity of the etrust CMS database, to schedule backups of the database, and to perform exceptional PKI-management events such as PKI key recovery. In other words, etrust CMS provides the interface into initialization and maintenance services, as well as the primary operator interface for day-to-day management of authorized officers. Hence, management of the etrust configuration and etrust users via etrust CMS is assigned to the defined roles. 11 Administrators and end users functions are available after they have been authenticated. 12 etrust CMS is a software type TOE and it is not able to run stand-alone. It requires the environment to support its operation as follows: a) Software requirements: Page 3 of 15

16 i) Microsoft Internet Information Server (IIS) 6.0 ii) Microsoft SQL Server 2005 iii) iv) etrust CMS is intended to be hosted on Windows Server 2003 operating system. etrust CMS will apply to the library hosted on 32-bit Microsoft Windows Server 2003; SP 1 running on Intel x86 architectures. etrust CMS relies on the underlying operating system and its Server Certificate Authority application to provide certificate generation and distribution services, certificate revocation list generation and distribution services, and certificate status protocol services for TOE. etrust CMS does not require any additional privileges from the operating system. v) etrust CMS relies on the Secure Socket Layer (SSL) of IIS to secure the communication channel with the users and the application. The Private Key used by the server side in the SSL can optionally be stored in a Hardware Security Module (HSM), using the Cryptographic Services Provider (CSP) provided by the HSM vendor. b) Hardware requirements: i) etrust CMS Website ii) - 2 Gbytes of RAM - Intel Xeon Dual Core 2.83 GHz or better - One 16X or faster CD-ROM drive - TCP/IP protocol stack installed Gbytes hard disk etrust CA Portal - 2 Gbytes of RAM 1.5 Clarification of Scope - Intel Xeon Dual Core 2.83 GHz or better - One 16X or faster CD-ROM drive - TCP/IP protocol stack installed Gbytes hard disk 13 The TOE is designed to be suitable for use in well-protected environments that have effective countermeasures, particularly in the areas of physical access, personnel and communication security in accordance with administrator guidance that is supplied with the product. The scope of the evaluation was limited to those claims made in the Security Target (Ref [6]) and includes only the following evaluated security functionality: a) Security roles within the etrust CMS Website subsystem the TOE controls access to all etrust CMS system data associated with operations initiated by any etrust CMS operator. The rights assigned by the Security Officer to these Page 4 of 15

17 administrators are defined in roles. Administrators with authorisation to issue certificates, revoke certificates, recover private keys associated with certificates, and export potentially sensitive data. The Security Officer is defined as having the right to assign the rights, requiring access to the Officer Group Policy Setup Screen for the role definitions and/or the Officer Policy Setup Screen for the assignment of Officer to roles. The capability to configure any TOE security functionality is only provided via the etrust CMS GUI. Specific configurations all have their own setup screens with specific access rights associated to them. The Security Officers are the only administrators given this right. b) Access control of the etrust CMS Website subsystem the TOE enforce the TOE Access Control Policy to access to all etrust system data associated with operations initiated by any etrust operator. c) Identification and authentication - allow access to the login screen and help menu (of the etrust CA portal for end-users, and of the etrust CMS for Officers) to allow the attempt to identify and authenticate. The TOE requires the users to be authenticated before allowing any etrust CMS-mediated action. The user identity is authenticated at login and remains associated with subjects acting on behalf of the user as long as the login session is valid. 14 Potential consumers of the TOE are advised that some functions and services may not have been evaluated as part of the evaluation. Potential consumers of the TOE should carefully consider their requirements for using functions and services outside of the evaluated configuration. 15 Functions and services which are not included as part of the evaluated configuration are as follows: a) Database - stores information about etrust CMS users and the infrastructure itself. b) Directory (certificate & CRL repository) - a repository of public information. It contains the name of each end entity in the CA domain. Public certificates of each user, certificate revocation lists (lists of certificates that have been revoked for various reasons), and other information is written from etrust CMS to Microsoft CA engine and then to the Directory. c) Hardware and Operating System (including Microsoft CA and Hardware Security Module (HSM)). 1.6 Assumptions 16 This section summarises the security aspects of the environment or configuration in which the IT product is intended to operate. Consumers should understand their own IT environments and what is required for secure operation of the etrust CMS as defined in subsequent sections and in the Security Target. Customer can make informed decisions about the risks associated with using the etrust CMS by considering assumptions about usage and environment settings as requirements for Page 5 of 15

18 the product s installation and its operating environment, to ensure its proper and secure operation. 17 However, there is no assumption declared in the Security Target since the specific item needs by the TOE was explained in Section 5.2 Security Objective for the Environment of the Security Target. 1.7 Evaluated Configuration 18 This section describes the configurations of the TOE that are included within the scope of the evaluation. The assurance gained via evaluation applies specifically to the TOE in the defined evaluated configuration according to the secure installation procedure (Ref 24). 19 The TOE is hand delivered in a CD by the developer s authorised personnel. The developer s authorised personnel is responsible to assist in the installation and configuration of the TOE based on the secure installation procedure (Ref 24) as follows: a) Installation of etrust CMS Website which includes the installation of the Microsoft Windows 2003 server, Microsoft Internet Information Service (IIS),.Net Framework 2.0, Microsoft CA Service, Microsoft SQL Server, etc. b) Installation of etrust CMS CA Portal which includes the installation of the Microsoft Windows 2003 server, Microsoft Internet Information Service (IIS),.Net Framework 2.0, etc. 1.8 Delivery Procedures 20 etrust CMS is delivered to the customers in a CD and hand-delivered by the developer s authorised personnel. They are responsible to assists in the installation and configuration of the TOE based on the secure installation procedure (Ref 24). 21 The user is responsible to verify whether they have received all items as outlined in the etrust Certificate Management System 3.5: Common Criteria Addendum (Ref 24b)) as follows: a) The developer is responsible to deliver the version of etrust CMS as described in the ST to the customer. b) Typically etrust CMS is hand-delivered by the developer to ensure it is protected against tampering and impersonation, and the developer will assists in the installation of etrust CMS. However, other trusted arrangements can also be made. c) It is the responsibility of the customer to verify that they have received the correct items listed in the Security Target and this Certification Report (the product plus the documentation) from the developer. Customers are advice to contact the developer immediately for further instructions and not to use the product in security sensitive situations if they found that they have received the incorrect or tampered items. Page 6 of 15

19 1.9 Documentation 22 It is important that the etrust CMS is used in accordance with guidance documentation in order to ensure secure usage of the product. 23 The following documentation is provided by the developer to the end user as guidance to ensure secure usage and operation of the product: a) [OM] etrust Certificate Management System v3.5 Operation Manual (Ref [9]) b) [UM] etrust Certificate Management System 3.5 User Manual - Install User Certificate (Ref [10]) c) [TM] etrust Certificate Management System v3.5 Training Manual (Ref [11]) 24 The following guidance documentation is provided by the developer for secure installation of the product: a) [IM] etrust Certificate Management System v3.5 Installation Manual (Ref [12]) b) [CCA] etrust Certificate Management System 3.5: Common Criteria Addendum (Ref [8]) c) [OM] etrust Certificate Management System v3.5 Operation Manual (Ref [9]) d) [UM] etrust Certificate Management System 3.5 User Manual - Install User Certificate (Ref [10]) 25 The following public documentation is available for secure acceptance of the product: a) [CCA] etrust Certificate Management System 3.5: Common Criteria Addendum (Ref [8]) b) etrust Certificate Management System Version 3.5 Security Target (Ref [6]) Page 7 of 15

20 2 Evaluation 26 The evaluation was conducted in accordance with the requirements of the Common Criteria, Version 3.1 Revision 3 (Ref [2]) and the Common Methodology for IT Security Evaluation (CEM), Version 3.1 Revision 3 (Ref [3]). The evaluation was conducted at Evaluation Assurance Level 2 (EAL2). The evaluation was performed conformant to the MyCC Scheme Policy (MyCC_P1) (Ref [4]) and MyCC Scheme Evaluation Facility Manual (MyCC_P3) (Ref [5]). 2.1 Evaluation Analysis Activities 27 The evaluation activities involved a structured evaluation of etrust CMS, including the following components: Life-cycle support 28 An analysis of the etrust CMS configuration management system and associated documentation was performed. The evaluators found that the etrust CMS configuration items were clearly and uniquely labelled, and that the access control measures as described in the configuration management documentation are effective in preventing unauthorised access to the configuration items. The developer s configuration management system was evaluated, and it was found to be consistent with the provided evidence. 29 The evaluators examined the delivery documentation and determined that it described all of the procedures required to maintain the integrity of etrust CMS during distribution to the consumer Development 30 The evaluators analysed the etrust CMS functional specification; they determined that the design completely and accurately describes the TOE security functionality (TSF) interfaces (TSFIs), and how the TSF implements the security functional requirements (SFRs). 31 The evaluators examined the etrust CMS specification; they determined that the structure of the entire TOE is described in terms of subsystems. They also determined that, it provides a complete, accurate, and high-level description of the SFR-enforcing behaviour of the SFR-enforcing subsystems. 32 The evaluators examined the etrust CMS security architecture description; they determined that the information provided in the evidence is presented at a level of detail commensurate with the descriptions of the SFR-enforcing abstractions contained in the functional specification and TOE design Guidance documents 33 The evaluators examined the etrust CMS preparative user guidance and operational user guidance, and determined that it s sufficiently and unambiguously described Page 8 of 15

21 how to securely transform the TOE into its evaluated configuration, and how to use and administer the product in order to fulfil the security objectives for the operational environment. The evaluators examined and tested the preparative and operational guidance, and determined that they were complete and sufficiently detailed to result in a secure configuration IT Product Testing 34 Testing at EAL2 consists of assessing developer tests, independent function test, and performing penetration tests. etrust CMS testing was conducted by CyberSecurity Malaysia MySEF at CyberSecurity Malaysia MySEF Lab in Seri Kembangan Selangor where it was subjected to an independent functional and penetration tests. The detailed testing activities, including configurations, procedures, test cases, expected results and actual results are documented in a separate Test Plan Reports Assessment of Developer Tests 35 The evaluators verified that the developer has met their testing responsibilities by examining their test plans, and reviewing their test results, as documented in the Evaluation Technical Report (Ref [7]) (not a public document because it contains information proprietary to the developer and/or the evaluator). 36 The evaluators analysed the developer s test coverage and found them to be complete and accurate. The correspondence between the tests identified in the developer s test documentation and the interfaces in the functional specification, TOE design and security architecture description was complete Independent Functional Testing 37 Independent functional testing is the evaluation conducted by evaluator based on the information gathered by examining design and guidance documentation, examining developer s test documentation, executing a sample of the developer s test plan, and creating test cases that augmented the developer tests. 38 The results of the independent test developed and performed by the evaluators to verify the TOE functionality as follows: Table 2: Independent Functional Testing DESCRIPTION SECURITY FUNCTION TSFI STATUS The test is developed: To see whether user at Level 1 can be deleted by user at lower level (i.e: Level 2). To verify whether user using expired certificate can log in. To request for officer Specification of Management Functions Timing of authentication Certificate Request GUI PASS. The output shows that the TOE functions as per access control policy setup by the Security Officers. Page 9 of 15

22 DESCRIPTION SECURITY FUNCTION TSFI STATUS certificate. To issue officer certificate. To download the certificate from CA Portal. 39 All tests performed by the evaluators produced the expected results and as such the TOE behaved as expected Penetration Testing 40 The evaluators performed a vulnerability analysis of the TOE in order to identify potential vulnerabilities in the TOE. This vulnerability analysis considered public domain sources and an analysis of guidance documentation, and functional specification. 41 From the vulnerability analysis, the evaluators conducted penetration testing to determine that the TOE is resistant to attacks performed by an attacker possessing Basic attack potential. The following factors have been taken into consideration during the penetration tests: a) Time taken to identify and exploit (elapsed time); b) Specialist technical expertise required (specialist expertise); c) Knowledge of the TOE design and operation (knowledge of the TOE); d) Window of opportunity; and e) IT hardware/software or other equipment required for exploitation. 42 The penetration tests focused on : a) Generic vulnerabilities; b) Web based penetration testing; c) Tampering 43 The results of the penetration testing note that a number of additional vulnerabilities exist that are dependent on an attacker effort, time, skill/knowledge, and focused tools/exploits use to gather the TOE configuration information. Therefore, it is important to ensure that the TOE is use only in its evaluated configuration and in secure environment Testing Results 44 Tests conducted for the etrust CMS produced the expected results and demonstrated that the product behaved as specified in its Security Target and functional specification. Page 10 of 15

23 3 Results of the Evaluation 46 After due consideration during the oversight of the evaluation execution by the certifiers and of the Evaluation Technical Report (Ref [7]), the Malaysian Common Criteria Certification Body certifies the evaluation of etrust CMS performed by CyberSecurity Malaysia MySEF. 47 CyberSecurity Malaysia MySEF found that etrust CMS upholds the claims made in the Security Target (Ref [6]) and supporting documentation, and has met the requirements of the Common Criteria (CC) assurance level EAL2. 48 Certification is not a guarantee that a TOE is completely free of exploitable vulnerabilities. There will remain a small level of risk that exploitable vulnerabilities undiscovered in its claimed security functionality. This risk is reduced as the certified level of assurance increases for the TOE. 3.1 Assurance Level Information 49 EAL2 provides a basic level of assurance by a limited Security Target and an analysis of the security functions in that Security Target, using a design document, architectural document, functional and interface specification and guidance documentation, to understand the security behaviour. 50 The analysis is supported by a search for potential vulnerabilities in the public domain, developer s test cases and independent testing (functional and penetration) of the TOE security functions. 51 EAL2 also provides assurance through unique identification of the TOE and implementation of a configuration management system so that there is no ambiguity in terms of which instance of the TOE is being evaluated. 3.2 Recommendation 52 In addition to ensure secure usage of the product, below are additional recommendations for etrust CMS: a) Ensure strict adherence to the acceptance checklist as mentioned in the etrust Certificate Management System 3.5: Common Criteria Addendum (Ref [8]). b) Underlying hardware, software and network should be harden and ensure that the only external access possible is via TCP port 443. All access to the administrator interfaces and the underlying OS should be restricted to trusted administrators only. c) The administrators must be well trained and actively working to keep the product correctly configured and otherwise protected against all attacks. d) The TOE should be located in a physically secure area to ensure no direct access to the environment. Page 11 of 15

24 e) It is recommended that the user credential is encrypted with a good encryption algorithm or enable end-user certificate download for one time only to prevent other people from downloading the certificate. f) Use it only in its evaluated configuration. g) HTTPS is recommended to be deployed to ensure that the communication via etrust CMS Website and etrust CA Portal are secured. Page 12 of 15

25 Annex A References A.1 References [1] Arrangement on the recognition of Common Criteria Certificates in the field of Information Technology Security, May [2] The Common Criteria for Information Technology Security Evaluation, Version 3.1, Revision 3, July [3] The Common Evaluation Methodology for Information Technology Security Evaluation, Version 3.1, Revision 3, July [4] MyCC Scheme Policy (MyCC_P1), v1a, CyberSecurity Malaysia, December [5] MyCC Scheme Evaluation Facility Manual (MyCC_P3), v1, December [6] etrust Certificate Management System Version 3.5 Security Target, version 1.0, 10 November [7] Evaluation Technical Report etrust Certificate Management System Version 3.5, version 1.1, 5 April [8] etrust Certificate Management System 3.5: Common Criteria Addendum, v0.1, 20 July [9] etrust Certificate Management System v3.5 Operation Manual, v1.4, 18 November [10] etrust Certificate Management System 3.5 User Manual - Install User Certificate, v3.5, 3 September [11] etrust Certificate Management System v3.5 Training Manual, v3.5, 3 September 2010 [12] etrust Certificate Management System v3.5 Installation Manual, v1.6, 18 November A.2 Terminology A.2.1 Acronyms Table 3: List of Acronyms Acronym CA CB CC CCRA Expanded Term Certification Authority Certification Body Common Criteria (ISO/IEC15408) Common Criteria Recognition Arrangement Page 13 of 15

26 Acronym Expanded Term CEM Common Evaluation Methodology (ISO/IEC 18045) CRL GUI HSM IEC ISO ISCB MAC MyCB MyCC MyCPR MySEF NDA POS PP ST TLE TOE Certificate Revocation List Graphical User Interface Hardware Security Module International Electrotechnical Commission International Organisation for Standardization Information Security Certification Body Message Authentication Code Malaysian Common Criteria Certification Body Malaysian Common Criteria Evaluation and Certification Scheme MyCC Scheme Certified Products Register Malaysian Security Evaluation Facility None Disclosure Agreement Point of sale Protection Profile Security Target Terminal Line Encryption Target of Evaluation A.2.2 Glossary of Terms Table 4: Glossary of Terms Term CC International Interpretation Certificate Certification Body Consumer Definition and Source An interpretation of the CC or CEM issued by the CCMB that is applicable to all CCRA participants. The official representation from the CB of the certification of a specific version of a product to the Common Criteria. An organisation responsible for carrying out certification and for overseeing the day-today operation of an Evaluation and Certification Scheme. Source CCRA. The organisation that uses the certified product within their infrastructure. Page 14 of 15

27 Term Developer Evaluation Evaluation and Certification Scheme Interpretation Certifier Evaluator Maintenance Certificate National Interpretation Security Evaluation Facility Sponsor Definition and Source The organisation that develops the product submitted for CC evaluation and certification. The assessment of an IT product, IT system, or any other valid target as defined by the scheme, proposed by an applicant against the standards covered by the scope defined in its application against the certification criteria specified in the rules of the scheme. Source CCRA and MS ISO/IEC Guide 65. The systematic organisation of the functions of evaluation and certification under the authority of a certification body in order to ensure that high standards of competence and impartiality are maintained and that consistency is achieved. Source CCRA. Expert technical judgement, when required, regarding the meaning or method of application of any technical aspect of the criteria or the methodology. An interpretation may be either a national interpretation or a CC international interpretation. The certifier responsible for managing a specific certification task. The evaluator responsible for managing the technical aspects of a specific evaluation task. The update of a Common Criteria certificate to reflect a specific version of a product that has been maintained under the MyCC Scheme. An interpretation of the CC, CEM or MyCC Scheme rules that is applicable within the MyCC Scheme only. An organisation (or business unit of an organisation) that conducts ICT security evaluation of products and systems using the CC and CEM in accordance with Evaluation and Certification Scheme policy. The organisation that submits a product for evaluation and certification under the MyCC Scheme. The sponsor may also be the developer. --- END OF DOCUMENT --- Page 15 of 15