1. Introduction
This document outlines the compliance framework adhered to by Virifi's Solution Proposal, ensuring alignment with the Central Bank of Jordan (CBJ) regulations and international standards for secure digital signatures, cryptography, and long-term validation.
2. Central Bank of Jordan (CBJ) Compliance
Virifi's Solution Proposal integrates seamlessly with CBJ's Public Key Infrastructure (PKI) and meets all mandatory criteria, including:
Certificate issuance and management via CBJ APIs
Mutual TLS (mTLS) authentication using CBJ-issued certificates
Compliance with CBJ's Certificate Policy (CP) and Certification Practice Statement (CPS)
Support for signature formats and trust models as required by CBJ
3. ETSI eIDAS Standards
Virifi's Solution Proposal supports the following European Telecommunications Standards Institute (ETSI) eIDAS standards:
PAdES (ETSI EN 319 142-1): PDF Advanced Electronic Signatures
XAdES (ETSI EN 319 132-1): XML Advanced Electronic Signatures
CAdES (ETSI EN 319 122-1): CMS Advanced Electronic Signatures
JAdES (ETSI TS 119 182-1): JSON Advanced Electronic Signatures
Validation Reporting (ETSI TS 119 102-2): Signature validation and reporting
All signature levels (B, B-T, LT, LTA) are supported across these formats, ensuring interoperability and legal admissibility.
4. NIST and FIPS Cryptographic Standards
Virifi's Solution Proposal incorporates strong cryptographic algorithms and hardware security practices, including:
FIPS 204 (ML-DSA): Post-quantum digital signature algorithm for future-proof security
FIPS 140-2/3: Certified Hardware Security Modules (HSMs) for key storage and signing
FIPS 186-5: Digital signature standards covering RSA, DSA, and ECDSA
SP 800-57 / SP 800-131A: Key management and algorithm transition guidelines
HSMs used during the Proof-of-Concept phase (e.g., iShield-HSM, YubiKey 5 FIPS) meet FIPS requirements, while the platform is designed to work with a variety of compliant HSMs.
5. Auditing and Logging Practices
To support traceability and compliance audits:
All signing and verification operations are logged
Logs capture user ID, certificate ID, timestamps, and operation type
Integration with external SIEM solutions (e.g., Elastic, Splunk) is supported
Audit logs can be protected with HSM-backed hash chaining for tamper-evidence
6. Summary
Virifi's Solution Proposal demonstrates full compliance with CBJ requirements, ETSI eIDAS signature standards, and NIST/FIPS cryptographic guidelines. It is built for interoperability, security, legal enforceability, and future resilience against emerging threats, including quantum computing risks.