Zum Hauptinhalt springen

BSI TR-03107

Planned — not yet available

Support for BSI TR-03107 is planned and not yet available in azuma nori. This policy is not currently selectable when creating a project. The page below describes the intended analysis scope; it will move into the active policy set once the framework ships.

BSI TR-03107 ("Electronic Identities and Trust Services in the E-Government") specifies the technical and organizational requirements for electronic identification systems and trust services. It is essential for applications interacting with state-issued eIDs or requiring high-assurance electronic signatures.

Focus Areas for Nori Analysis

When azuma nori evaluates a codebase against TR-03107, the sub-agents focus on verifying the integration and handling of identity tokens and cryptographic trust chains.

Key areas evaluated include:

  1. Identity Verification & Storage: How the application handles, stores, and validates eID tokens. The agents ensure that identity tokens are not logged in plaintext and that their lifecycle is strictly managed.
  2. Signature Validation: For systems accepting electronic signatures, nori verifies that the code implements proper certificate path validation, checks revocation lists (CRLs/OCSP), and securely handles the underlying cryptographic material.
  3. Secure Communication: Enforcing mutual TLS (mTLS) or robust channel bindings when communicating with external identity providers or eID servers.

Providing Manual Evidence

Because TR-03107 encompasses organizational procedures (e.g., identity vetting processes) and physical security measures, source code analysis cannot cover every requirement.

For these non-technical controls, you must provide external documentation via the Evidence tab in the Standalone Client. Examples include:

  • Operational guidelines for identity verification.
  • Audit reports of the PKI infrastructure.
  • Service Level Agreements (SLAs) with external Trust Service Providers (TSPs).

The nori agents will read these documents and synthesize them with the source code findings to generate a complete compliance report.