1. Product Certification
The National Security Authority (hereinafter referred to as „the NSA“), as the central body of the state administration for the electronic signature in accordance with Article 24 (7) of the Act no. 215/2002 Coll. on Electronic Signature and on the amendments and supplementing of certain acts, certifies products for the electronic signature, especially devices for electronic signature creation and secure devices for Time Stamp creation.
Certification of product for electronic signature means conformity assessment of technical devices and procedures for creation and verification of Qualified Electronic Signatures, Time Stamps and other products for electronic signature with security requirements established in legal regulations of the Slovak Republic, in standards and directives of the National Security Authority and in international norms and standards.
Participating parties involved in certification process:
• the applicant for certification, subject who asks the certification authority to realize compliance evaluation of the certification and subsequent award of the certificate,
• the certification authority (National Security Authority),
• the third party (e.g. an auditor, if there is an independent auditor involved in the certification process, the certificate of an independent test laboratory).
The NSA is performing a products certification for Qualified Electronic Signature and Time Stamp creation and verification, other products for the electronic signature on the basis of submitting an application Request for certification for Qualified Electronic Signature (Slovak version) (rtf, 161.6 kB) in accordance with Article 24 (7) of the Act no. 215/2002 Coll. on Electronic Signature (hereinafter referred to as „the Act“)..
2. Request for product certification must contain
2.1. applicant personal data,
2.2. statement from companies registry (it can not be older than three months) or trade licence,
2.3. product name,
2.4. product version,
2.5. product identification,
2.6. producer name of a product,
2.7. technical documentation of a product,
- operating instruction,
- product description,
- product functionality description,
- product character description,
- operating platforms of a product,
- supported standards and protocols,
- list, parameters of cryptographic functions,
- the form of characteristics of the application for QES (rtf, 185.4 kB), (if the application is the certified product) - Slovak version
2.8. secure certificates of a product or final statement of secure audit,
- certificates of product compatibility,
2.9. product references about its use,
2.10. description of product technical support,
2.11. guarantee conditions of a product (especially period, scope and guarantee conditions).
Recommended content of individual annexes of the application for the certification of the product for QES or the applications for prolonging the certificate validity of the product for QES are described in the following comment (Slovak version) (pdf, 27.1 kB).
It is necessary to join the product itself with the supportive SW application the certification of which is applied for by the applicant. Annexes can be delivered in paper or electronic form. If the annexes are delivered in electronic form, then files must be in approved formats (e. g. .pdf, .rtf) and accompanied by a signed covering letter with hash imprints (SHA 1 or higher hash algorithms) of individual files. All documentations must be in the Slovak language or the officially certified translation into the Slovak language must be enclosed with the application (with the exception of the documentation in the Czech language).
Fees
Submitting the request for the conformity assessment of the product for qualified electronic signature and the request for prolonging the certificate validity of the product for electronic signature are liable to a charge (fees) pursuant to Article 24 (15) of the Act. The amount of payment is determined by the Act of the National Council of the Slovak Republic No. 145/1995 Coll. on Administrative fees as amended. The fee in fixed amount is necessary to be paid when submitting the request.
3. Request processing
The NSA controls a request for certification according to part (2). In spite of the fact that the request contains necessary requirements than the NSA confirms receiving of the request and delivers it to the Department of Information Security and Electronic Signature. The Department of Information Security and Electronic Signature performs a certification process. The request is considered to be complete if it contains all requisites required by law pursuant to § 24 (11). If the request is not complete, the applicant is asked to complete it by 15 workdays. If the request is not completed by that time, the NSA, pursuant to the law, shall stop the proceedings.
The Department of Information Security and Electronic Signature controls a content of the request and its comparison with certificated product. It determines a certification plan and decides about beginning of the certification process.
As the certification authority does not possess test laboratories it is necessary for certification needs to present security certificates from laboratories or licensed centers of national accreditation institutions being approved by the NSA or to present the third party assurance by providing the final report of the security audit (expert opinion) which were created by an independent auditor in the form of the statement about meeting security requirements on technical means. Pursuant to §24 (13), the NSA is authorized to require the submission of performed security audit from the applicant. The list of some laboratories and institutions is mentioned in the point 10. Charges connected with a product processing for the Qualified Electronic Signature in accredited testing laboratory and secure audit pays an applicant.
4. Request replenishment
If the request for product certification does not contain all requirements according to part (2), if the request has whatever lack or if it is necessary to add some data then the NSA asks an applicant for adding of necessary data or eliminating of lacks by 15 workdays. If the request is not completed by that time, the NSA, pursuant to the law, shall stop the proceedings.
5. Request revocation
Request for certification will be revoked if
5.1. applicant asks for its revocation in writing,
5.2. documentation or product is not complete, applicant does not correct or add necessary changes to deadline,
5.3. applicant does not pay a right fee.
Applicant must attend all methods in the certification process.
6. Certification process
Certification plan is made according to product type and product purpose (e. g. products for Certification Service Providers, products for Qualified Electronic Signature Users, products for clients, HW products, SW products, products for signature creation, signature verification, Time Stamp creation, Electronic Registry creation, etc.)
Individual product versions are assessed separately and therefore the certification process cannot be considered as the confirmation of individual versions compatibility.
Methods in certification process
6.1. Processing of basic requirements is performed in accordance with the Act,
6.1.1. Products for Qualified Electronic Signature creation must ensure:
6.1.1.1. the document must view to an applicant before signature procedure,
6.1.1.2. the document does not change in signature.
6.1.2. Products for Qualified Electronic Signature verification must ensure:
6.1.2.1. signed document does not change in the Qualified Electronic Signature verification,
6.1.2.2. Qualified Electronic Signature will be verified and the result will be imaged correctly,
6.2. basic requirements processing in accordance with the regulation no. 134/2009 Coll. laying down details on the requirements for secure-Time-Stamping devices and the requirements for electronic signature products (on electronic signature products),
6.2.1. products for Qualified Electronic Signature must work with approved signature schemes, algorithms and parameters of these algorithms,
6.2.2. products for Qualified Electronic Signature conforms to requirements if requirements permit to use functions,
6.2.3. SW products for clients must contain following functions:
6.2.3.1. critic certificates extensions (limited using of the certificate which application can not process. The verifier must consider it subjectively) must view in non-changed, readable and comprehensible form,
6.2.3.2. secure communication of text editor (signature application) is created in the signature creation and verification together with device performing the signature process or with device in which public key of the root CA is saved.
6.3. Certificate processing of product or final statement of secure audit
6.4. Verification of basic product functionality
6.5. Verification of secure product character
6.6. Verification of parameters and cryptographic functions
6.7. Verification of conformity in the accredited certification laboratory
7. Certificate issuing
As soon as the complete request for secure product certification for Qualified Electronic Signature is submitted, the NSA shall make a decision on conformity approval or disapproval by 90 days.
7.1. If product fulfilled all requirements according to part. VII in the all certification process then the NSA issues a secure product certificate to applicant for the Qualified Electronic Signature. The certificated device will be automatically added to the list of certificated secure products for the Qualified Electronic Signature on the NSA web page.
7.2. If certificated product does not fulfil requirements initiated in part (7) then the NSA issues to applicant decision about not giving a certificate of secure product for Qualified Electronic Signature,
7.3. Device borrowed from an applicant for certification is given him back.
8. Automatic recognition of products for the qualified electronic signature
Products for the qualified electronic signature the conformity of which was determined by the body pursuant to Article 3 (4) of the Directive 1999/93/EC of the European Parliament and of the Council in any of the EU Member States, are automatically recognised as the products for the qualified electronic signature pursuant to the Act of the Slovak Republic on Electronic signature.
9. Period of certificate validity
Period of certificate validity is limited but it is no more than five years. It depends on product type for the Qualified Electronic Signature. It is possible to ask for new certificate issuing after finishing of certificate validity.
If the security requirements of the present law have not changed during the certificate validity period of the product for electronic signature being issued by the NSA on the basis of proceedings for conformity recognition of technical devices on electronic signature creation and verification of the present law, the NSA based on request (Slovak version) (rtf, 172.6 kB) will make a decision on prolonging the certificate validity of the product for electronic signature in truncated proceedings by 60 days. In the request the applicant shall provide the documentation from the previous proceedings for conformity assessment and declaration of registration of no security incidents when using the product.
The NSA is authorized to revoke the certificate validity even before finishing of certificate validity if circumstances occur for which the certificate would not be issued.
10. The list of selected foreign test laboratories being licensed and national accreditation institutions
The list of selected test laboratories being licensed which evaluate product compliance according to
• ISO 15408-1 Information technology - Security techniques - Evaluation criteria for IT security -
Part 1: Introduction and general model,
• ISO 15408-2 Information technology - Security techniques - Evaluation criteria for IT security -
Part 2: Security functional requirements,
• ISO 15408-3 Information technology - Security techniques - Evaluation criteria for IT security -
Part 3:Security assurance requirements
These ISO norms use evaluation criteria following from Common Criteria.
In addition to mentioned laboratories being licensed it is possible to accept also other laboratories in case they have an accreditation of the national accreditation institution.
| Institution | Country | www or e-mail |
| Federal Ministry of Economic Affairs and Labour | AUSTRIA | http://www.bmwa.gv.at/Akkreditierung |
| BELCERT | BELGIUM | jules.dewindt@mineco.fgov.be |
| Belgische Kalibratie Organisatie | BELGIUM | http://Belgische Kalibratie OrganisatieBelgische Kalibratie Organisatie |
| BELTEST | BELGIUM | http://beltest.fgov.be/ |
| Czech Accreditation Institute, o.p.s | CZECH REPUBLIK | http://www.cai.cz/ |
| Danish Accreditation | DENMARK | http://www.danak.dk/ |
| Finnish Accreditation Service | FINLAND | http://www.finas.fi/ |
| Comité Francais d'Accréditation | FRANCE | http://www.cofrac.fr/ |
| Deutscher Akkreditierungsrat | GERMANY | http://www.deutscher-akkreditierungsrat.org/ |
| National Accreditation Board | IRELAND | http://www.forfas.ie/nab |
| OLAS | LUXEMBURG | jean-marie.reiff@eco.etat.lu |
| Raad voor Accreditatie | NETEHERLANDS | http://www.rva.nl/ |
| American National Standards Institute | USA | http://www.ansi.org/ |
| National Institute of Standards and Technolgy – NIST | USA | http://www.nist.gov/ |
| Norwegian Accreditation | NORWAY | http://www.justervesenet.no/na |
| Polskie Centrum Akreditacji | POLAND | http://www.pca.gov.pl/ |
| Instituto Portugues da Qualidade | PORTUGAL | http://www.ipq.pt/ |
| Slovak National Accreditation Service | SLOVAKIA | http://www.snas.sk/ |
| Slovenian Accreditation | SLOVENIA | http://www.gov.si/sa |
| Swedish Board for Acc. & Conformity Assessm. | SWEDEN | http://www.swedac.se/ |
| Swiss Accreditation Service | SWITZERLAND | http://www.sas.ch/ |
| United Kingdom Accreditation Service | UNITED KINGDOM | http://www.ukas.com/ |