SAFE Identity QPL Lab Product Testing

The SAFE Identity QPL Lab tests software that creates/validates digital signatures against world leading digital signature standards developed by high level PKI and digital signature experts to make sure that it can interoperate with other digital signature systems. The tests are adapted from leading digital signature and related PKI standards like RFC 3852, ISO 32000-1, NIST Public Key Infrastructure Test Suite and NIST Path Discovery Test Suite.

Vendors who choose to have their products tested for certification on the SAFE QPL, are taking the first step toward confirming that their product(s) uses digital identities in the way the holders, issuers and Relying Parties expect.

Master Services Agreement (MSA)

Initial engagements with the SAFE QPL Lab begin with execution of the MSA and the payment required for testing and certification fees. After the MSA has been executed and payments have been made, the product vendor may then proceed with submitting the product for certification.

How does the testing process work?

Testing Tools

The QPL Lab offers applicants testing artifacts, which includes signed PDFs and test certificates, to enable them to perform testing internally before submitting their product to the SAFE QPL Lab. Though self-testing is optional, it will increase the likelihood of a vendor passing our test suite on the first try.

PKI Infrastructure

The PKI Infrastructure used in the QPL Lab includes all certification paths used in the test suite.

Seeded PDFs
A set of PDF files signed with digital signatures tied to the test cases used in the QPL Lab.

More Information
To learn more about our PKI Infrastructure and Seeded PDFs, please review our SAFE PDF Signature Test Specification.

Testing Plan

Required Tests: Products that pass all required test cases will be published to the Qualified Products List. Products that fail a required test will not be published to the Qualified Products List.
Optional Tests: Products that pass test cases for any of the chosen optional tracks will be displayed on the Qualified Products List, with a description that the product supports those optional tracks.

Testing Tracks and Test Specification Mapping


Signature Creation The product allows the end user to create signatures using PKI credentials either installed locally on the user’s device or stored on a remote location securely accessible to the product during signature creation.
Signature Validation The product allows the end user to view a signed document and lets the user know about the validity of the signature. This may include both Non-LTV and LTV signatures.
LTV Long Term Validation. LTV signatures are designed for circumstances where the validity period of the signature goes beyond the life of the credential used to sign the data. They include fields that support embedding a full certificate chain back to a Trust Anchor and all revocation data associated with the certificate chain.
Usability Does the product make it easy for the end user to select the right certificate for signing? For example, if the end user has a number of certificates to choose from, does the product only offer the ones with the key usage set to Signature and gives preference to the ones having SAFE policy OIDs in its chain?
CSC RSSP Compatibility Compatibility with Cloud Signature Consortium’s Remote Signature Service Provider Specification.
Advanced PKI Support The product allows either the end user or an administrator to configure certificate policies and/or path discovery options.


Product Installation Activities

After the application has been approved, the SAFE QPL Lab will contact the product vendor to schedule an installation date. Once scheduled, the Lab will provide a virtual environment for host servers and clients.

It is the responsibility of the product vendor to provide the following:
For Cloud-Hosted Products:
– A valid license/subscription.
– A user guide.
– A guide on how to configure the software.
– Other information vendor typically provides to its customers related to its Product.

For Desktop Products:
– All software and operating systems with perpetual licenses.
– An installation guide.
– A Configuration Settings File or a guide on how to configure the software.
– A valid license/subscription.
– A user guide.
– Other information vendor typically provides to its customers related to its Product.

Installation is considered complete once the QPL Lab is able to perform basic operations using the vendor’s software. Depending on the testing queue, installation may precede testing by several weeks.
If QPL Lab personnel have problems or anomalies that seem indicative of operator error rather than a system error, they will reach out to the vendor’s Technical Point of Contact for support. If configuration changes are needed, the QPL Lab will schedule a meeting where screens are shared so that the vendor can guide Lab personnel on what updates are needed.

Please Note: The product vendor may not update software post-installation or during testing.

QPL Estimated Timeline

Below are general estimates for each stage of the process, as measured in Business Days:

Here is the link to the SAFE QPL Lab Application Form.