Specification standardises digital format of Letters of Approval
A specification which standardises the digital format of Letters of Approval issued from certification bodies and standardises how they can be retrieved has been released by GlobalPlatform. This clarity will simplify the process for validating the functional compliance and security certification status of a secure component product or of an application.
The Digital Letter of Approval (DLoA) Specification, which is available to download, will be of interest to stakeholders wanting to clarify the certification status of secure component products, such as a Secure Element (SE) or Trusted Execution Environment (TEE), and of applications. This includes trusted service manager vendors, certification bodies, platform and application developers, platform evaluators, issuers, manufacturers and verification authorities.
Gil Bernabeu, Technical Director at GlobalPlatform, explained: “Today, multiple applications can reside on one secure component. If product issuers commit to ensuring DLoAs are centrally available and presented in a globally consistent manner, as outlined in our specification, trusted service managers and other parties can quickly and easily validate if a product is secure and if an application can be updated without complication.”
The specification also:
- Clarifies how to access all certification documents (DLoAs) available for a given secure component.
- Improves the management of the certification lifecycle.
- Defines a new entity called a DLoA registrar. A repository that states the interface which enables a management system to retrieve a digital letter.
Bernabeu also commented that it is important that product testing and security certification activity does not become a barrier to adoption. She concluded with: “While the need to confirm the security and performance of a product is paramount, we must continually seek ways to streamline these processes and better align to the product lifecycle needs of the connected device marketplace. This specification defines a relatively easy approach to manage the security of secure component products that carry sensitive and/or basic applications and simplify post-issuance management of applications.”