Common Criteria in Austria

Abstract:

Austria has joined the Common Criteria Mutual Recognition Agreement(CC-MRA)in 2002 as a certificate consuming participant. The presentation discusses the motivation behind this move and its influence on ICT strategies. This is done using a major driver to join the CC-MRA as an example the European Union (EU) electronic signature directive. The signature directive requires the assessment of components against its requirements. In the European Electronic Signature Standardisation Initiative CC protection profiles have been defined for that, which also have been published as so-called reference numbers in 2003. This led to simplification in the bylaws to the Austrian signature law that originally (signature order 2000) referred to various different standards an amended version of 2004 reduced that to CC or ITSEC. However, even though the CC evaluation against the reference numbers gives some automatism in the recognition of secure signature-creation devices throughout the EU, the issuers of the two major massive rollouts of signature cards in Austria the bank cards and the Austrian health insurance card have chosen to not follow the protection profiles given as reference numbers, even though CC evaluations have been applied. The presentation attempts to give reasons for that to illustrate where protection profiles that have been defined by policy making are not completely taken up by industry or where such protection profiles even may turn out inflexible if the legal environment changes.