9. Signature creation device and its selection

9.3. eIDAS Regulation and requirements for the signature creation device

An electronic stamp does not principally assume use of the signature creation device. Regulation No. 910/2014 of the European Parliament and of the Council (eIDAS Regulation) providing terms for trust service and aspects of the digital signing, does not establish direct requirements for the signature creation devices used for X-Road. eIDAS Regulation establishes requirements to the signature creation device in case of a qualified electronic stamp.

Qualified signature creation device (QSCD) needs to be used for creation of a qualified electronic stamp, i.e. a physical device that has Common Criteria (CC) certificate for „Protection Profile SSCD“ (Standard EN 419 211, Protection Profiles for secure signature creation and other related devices part 1–2). However, creation of legislation about forming qualified electronic stamp is still in progress and there is also not enough appropriate software. Principally also the qualified electronic stamp certificate suits for using in X-Road.

For the purpose of eIDAS Regulation, e-stamp of the X-Road is an advanced electronic stamp with a qualified certificates. According to common practice, the qualified trust service providers issue that type of certificates to devices designed for management of private keys. More detailed requirements are specified in the Certification Policy (CP) of the electronic stamp of the certification service provider. For example, in case of AS Sertifitseerimiskeskus, it is necessary to use the device that has:

  • either Common Criteria certification according to EN 419 211, or
  • FIPS 140-2 second or higher level certification.

Since the devices and manufacturers are different and different devices comply with different standards, it is important to make sure before the purchase that the signature creation device supports the requirements established by the trust service provider.

PKCS#11 protocol is used for connecting the signature creation device with the security server.

Communication is generally hold according to PKCS#11 protocol but it is recommended to ask the manufacturer or the distributor a conformation that the device can be connected to X-Road.