Security

Organizational, Regional, and Functional Certifications

Common Criteria (CC): Common Criteria is an international set of guidelines and specifications developed for evaluating information security products, specifically to ensure they meet an agreed-upon security standard for government deployments.

Our certified products include:

• Security Manager
• nShield HSMs
• KeyOne
• TrustedX

FIPS – 140-2: The Federal Processing Standard (FIPS) Publication 140-2 is a US government computer security standard used to approve cryptographic modules FIPS provides four security levels, each adding functions to the previous level.

Our certified products include:

• nShield HSMs
• FIPS 140-2 Level 2 and Level 3

ICP Brazil: ICP Brazil is a PKI certification supporting National Basic Infrastructure for Electronic Identification projects in Brazil.

Our certified products include:

• nShield HMSs ICP

FIPS – 201 (PIV): FIPS 201 (Federal Information Processing Standards Publication 201) is a United States federal government standard that specifies Personal Identity Verification (PIV) requirements for Federal employees and contractors.

Our certified products include:

• Identity Guard

NATO Information Assurance Product Catalogue: The NATO Information Assurance Product Catalogue (NIAPC) established under Directive AC/322-D(2010)0042 (22-09-2010), provides NATO nations, and NATO civil and military bodies with a catalogue of Information Assurance (IA) products, Protection Profiles and Packages that are in use or available for procurement to meet NATO operational requirements.

Our certified products include:

• KeyOne

AIS 31: Application Notes and Interpretation of the Scheme (AIS) 31 – Functionality Classes and Evaluation Methodology for Physical Random Number Generators, Version 1 (25.09.2001.

Our certified products include:

• Solo XC

QSCD (Qualified Signature Creation Device): QSCD eIDAS certification according to the article 30.3.b) of the eIDAS Regulation.

Our certified products include:

• TrustedX
• Entrust HSMs

Environmental, Enclave, or System Certifications

WEBTRUST

Applies to: Entrust Certificate Services (ECS).

WebTrust for CAs is an audit that ensures a certificate authority is issuing certificates in accordance with its Certificate Policy and Certification Practice Statement. The CA/Browser Forum has mandated that a CA, in order to issue Publicly-Trusted Certificates, must obtain an audit report under a qualified audit scheme performed by a qualified auditor (Deloitte). Certificate members who require a publicly trusted certificate or chain of trust include Microsoft Edge, Google Chrome, Mozilla Firefox, Opera Mini, Cisco etc.

The WebTrust seal of assurance is a symbolic representation of a practitioner's unqualified report. This seal, when provided, is displayed on the certificate authority’s website, and linked to the practitioner's report and other relevant information. WebTrust applies to the following services within ECS;

• Public Trust certificates - This includes TLS/SSL certificates, Code Signing certificates, S/MIME certificates, Document Signing certificates, Verified Mark Certificates. These services are typically sold/priced per certificate.
• Digital Signing as a Service - This includes 2 services, Remote Signing Service and Signing Automation Service, both of which have multiple certificates offers, key generation and storage/hosting, and signing of documents.
• All Publicly Trusted Certificates & Cross-signed certificates require WebTrust audits.

ETSI

Applies to: Entrust Certificate Services (ECS).

European Telecommunications Standards Institute (ETSI) is the committee dealing with digital signatures (signature format, certificates), trust service providers and ancillary trust services (Remote signature creation and validation, Registered email, Registered e-delivery, Timestamping, Long-term data preservation). The European Union has mandated that a CA, in order to issue qualified Publicly-Trusted Certificates, must obtain an audit report under the eIDAS audit scheme performed by a qualified auditor (DEKRA). Certificate Authorities who wish to sell qualified certificates within Europe must be on a verified trusted list.

The ETSI and eIDAS standards assure the confidence of parties relying on certificates or other services related to qualified digital signatures with conformance assessment requirements for auditing schemes and a trust service status list (called Trusted List under the EU regulatory framework) to indicate the results of the audit and related supervision of the trust service provider. This provides information that will allow relying parties to know whether a given Trust Service Provider was operating under the approval through a recognized audit and supervisory scheme. ETSI applies to the following services in ECS;

• Digital Signing as a Service - This includes 2 services, Remote Signing Service and Signing Automation Service, both of which have multiple certificates offers, key generation and storage/hosting, and signing of documents.
• All Qualified Certificates require ETSI audits.
• These are the cert types that ETSI / eIDAS applies to: QWAC (qualified web application certs), QSig (Qualified signature), QSeal (qualified Seal) and QTSA (qualified timestamping certs).

PCI-DSS

Applies to: Entrust Digital Card Issuance Solution/Service (DCS Europe & US)

The Payment Card Industry Data Security Standard (PCI DSS) is a widely accepted set of policies and procedures intended to optimize the security of credit, debit and cash card transactions and protect cardholders against misuse of their personal information. PCI DSS was designed to prevent cybersecurity breaches of sensitive data and reduce the risk of fraud for organizations that handle payment card information.

PCI DSS is not a law or legal regulatory requirement. However, it is often part of contractual obligations businesses that process, and store credit, debit and other payment card transactions adhere to. Contractually obligated organizations must meet the requirements of PCI DSS to establish and maintain a secure environment for their clients. If these requirements are not met, organizations will be fined and may not be allowed to transact business with debit and credit cards.

PCI-CP

Applies to: Instant Financial Issuance (IFI)

The Payment Card Industry Card Production and Provisioning standard (PCI CPP) is a rigorous set of controls that applies to any company involved in card manufacturing, personalization, packaging, shipping, and many other processes. PCI CP is the only certification authorizing a company to perform card production activities for the card brands on behalf of issuers.

PCI Card Production is a set of standards that cover the physical and logical controls of the payment card production and data provisioning process and apply to different organizations based on the services they offer to their customers. It is important to clarify that, although they are two different documents (logical and physical controls), they are not exclusive but complementary. An organization can have its compliance validated with the physical PCI Card Production standard, with the logical standard, or with both. On the other hand, those companies that offer card production and provisioning services must also comply with PCI DSS.

FEDRAMP/ATO

Applies to: Federal Agencies in business partnership with Cloud Service Providers (CSPs)

The Federal Risk and Authorization Management Program (FedRAMP) was developed to standardize the security risk assessment, authorization, and continuous monitoring of cloud services used by federal agencies. FedRAMP is managed by the Program Management Office within the General Services Administration (GSA). Required for any cloud service provider (CSP) that does business with a federal agency to protect information stored or shared in the cloud.

Authorization to Operate (ATO) is the decision that is reached after an information technology system satisfies the security controls requirements as described in the NIST 800-53 rev 5 security control baseline for the specified risk impact level. Every information system operated by or on behalf of the US federal government is required to meet Federal Information Security Modernization Act (FISMA) standards, which includes system authorization (ATO) signed by an Authorizing Official (AO). The ATO process is not an audit, it’s a certification that lasts for 3 years. This is aimed to document the security measures taken and the security process in place to maintain compliance. Entrust’s ATO was approved on 10/1/22 (recertification due in 3yrs, 2025).

Tscheme

Tscheme - tScheme is the self-regulatory body for electronic trust service approval in the UK. https://www.tscheme.org/certificate-factory-entrust-datacard-europe-ltd

ISO/IEC 5504

We are granted level 3 of ISO/IEC 5504 Certification by AENOR (www.aenor.es): body accredited by the Spanish National Accreditation Body (ENAC) for certifying products and services. This certification provides a solid base for the evaluation and improvement of the Quality Systems involved in developing software.

UNE 166002 and standard CEN / TC 166555-1 – This is a certification for the activities of Research, Development and Innovation of security software for the areas of identity and trust, by AENOR (www.aenor.es): body accredited by the Spanish National Accreditation Body (ENAC) for certifying products and services. This certification ensures an R+D+I management system highly effective and efficient, resulting this in a differential factor of competitiveness and excellence of the products of the Company. On the basis on this certification, Aenor has issued a certificate of compliance with the European Standard CEN/TC 16555-1:2013 Innovation Management. Part 1: Innovation Management System.

PrivacyMark – PrivacyMark System is a system set up to assess private enterprises that take appropriate measures to protect personal information. Such private enterprises are granted the right to display "PrivacyMark" in the course of their business activities. The System is in compliance with Japan Industrial Standards (JIS Q 15001: [Personal Information Protection Management System - Requirements]).

Responsible Disclosure

The Entrust Responsible Disclosure Program is committed to resolving security vulnerabilities in our products in a careful and timely manner. We take appropriate and necessary steps to minimize the risk to customers and aim to provide accurate information and resolution to address security threats in our products.

Entrust follows responsible disclosure guidelines to ensure its customers can address potential vulnerabilities as quickly as possible to mitigate associated risks.

We understand that you are taking your personal time and effort to report these issues.

Our asks of you include:

1. All testing must be legal.
2. Respect the privacy of others.
3. You will make reasonable efforts to contact us.
4. Provide sufficient details of the vulnerabilities that enable us to verify and reproduce.

Our promise to you include:

1. Provide a method for researchers to securely report vulnerabilities.
2. Promise to respond to reports in a reasonable manner.
3. Strive for open communication with researchers.
4. Publish security advisories.

Report a Vulnerability

We recommend that security researchers contact the Entrust Product Security Team by sending an email to [email protected].

Finders are encouraged to utilize Entrust Product Security PGP key to encrypt sensitive information sent to this address.

PGP / GPG key Fingerprint:
8015 7C02 BBDB 2BA9 BFC0 68E2 C6A7 3905 B449 2509

 

When creating the report please provide as much of the following information as possible:

• Product Name, version, and operating environment.
• Type and impact of the issue.
• The configuration/state required to reproduce the issue.
• A compressed archive file containing proof of concept code, scripts, or other data which facilitates the reproduction of the issue.
• Name and additional contact details (optional).

In order to protect our existing customers and yourselves we strongly recommend that you:

• Do not take advantage of the vulnerability or problem you have discovered. For example: by downloading more data than necessary to demonstrate the vulnerability, or deleting/modifying other system data.
• Do not reveal the problem to others until it has been resolved.
• Do not leverage the vulnerabilities to initiate new attacks.

We will handle all reports with strict confidentiality, and will not disclose your personal data to third parties without your permission.

We strive to resolve all issues as quickly as possible. After it is resolved, we would like to remain in an active role for any publication of the issue.

Vulnerability Handling Process

Security vulnerabilities in Entrust Security products are actively managed through our vulnerability management process and covers four stages:

1. Reporting: The process begins when the Entrust Product Security Team is made aware of a potential security vulnerability in an existing product. The reporter receives an acknowledgment and updates throughout the handling process.
2. Triage: The Entrust Product Security Team investigates the issue and confirms the potential vulnerability, assesses the risk, and determines the impact and assigns a processing priority. The outcome is communicated to the Reporter.
3. Resolution: The product engineering team works with the Product Security Team to develop a fix that mitigates the reported vulnerability.
4. Disclosure: If the vulnerability is deemed to be of sufficient severity, a product advisory is created to provide all affected customers with information to accurately assess their risk, and informs of possible remediation and workaround advice as well as availability of any patches. Following disclosure, customer questions are handled by the Support Team in the usual manner.

Entrust's disclosure policy ensures all customers receive the same information at the same time to avoid introducing further risk.

Entrust also provide software and firmware updates as part of the Support Services offered during the Support Period of the product. Specifically:

Entrust will provide, during the Support Period, the following support to customers:

Vendor Information Security Addendum

Security Disclosure Practices

To ensure the continued security of Entrust’s environment and in alignment with contractual obligations, the following highly sensitive, confidential, and proprietary documentation is not shared with external parties, including customers, unless there is a legal or regulatory requirement:

Detailed Penetration Test Results

Detailed Vulnerability Assessments

Information Security Policies and Procedures