Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add ISO 27001 certification #36

Open
sander opened this issue Mar 4, 2024 · 2 comments
Open

Add ISO 27001 certification #36

sander opened this issue Mar 4, 2024 · 2 comments
Labels
TBD we can not solve this right now, but maybe in the future

Comments

@sander
Copy link
Contributor

sander commented Mar 4, 2024

For some use cases it is important to know whether the wallet/agent is released and kept secure in an information security management system (ISMS) with secure wallet delivery as its objective. The most common standard for this is ISO 27001.

For example, an issuer may check for an ISO 27001 certificate before agreeing to issue a high-risk credential, to mitigate the risk of a personal data breach. Such a breach may for example occur at the provider’s backend services or at an end-user app, e.g. due to a vulnerability not mitigated in time, or due to a malicious software update. While certification does not provide technical guarantees, it provides assurance and recognisable evidence of quality.

I suggest to add a field:

  • ID: iso27001Certificate
  • Type: URL to PDF of valid certificate of which the scope includes the wallet/agent delivery
@cre8
Copy link
Contributor

cre8 commented Mar 5, 2024

ISO27001 is a certification for the publisher, not for the product. So it says nothing about the quality/security of the product.

Better approach

  • Linking to possible penetration tests done by external companies (this could lead to bad quality reviews just to be reviewed)
  • certification by common criteria. BSI is doing this and this is required in high regulated or critical sectors. This is very rar.

Beside the certification of a product: it is only valid for a specific release.

I would keep the iso27001 and other company related information out of scope since e.g. a wallet by the open wallet foundation is to able to get this certification.

@sander
Copy link
Contributor Author

sander commented Mar 5, 2024

Hi @cre8, this depends on the type of wallet/agent solution. Several entries in the overview are for example delivered as a continuous stream of app releases through app stores, by a service organisation, potentially continuously backed by backend services. Penetration tests usually apply to a limited set of snapshots, while an ISMS is supposed to have a continuous control cycle.

I know that in at least some use cases, customers and supervisors are interested in the certification of the provider. They will indeed check whether the certification scope includes the security management of the wallet/agent solution.

To address the fact that some solutions will be delivered as source code only, without a servicing organisation, the proposed iso27001Certificate field could also have an N/A option.

I agree that links to penetration tests are also valuable. And to Common Criteria certificates – although usually only components of the wallet solution are certified, such as in the case of #30.

@maaikevanleuken maaikevanleuken added the TBD we can not solve this right now, but maybe in the future label Mar 21, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
TBD we can not solve this right now, but maybe in the future
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@sander @cre8 @maaikevanleuken