[ksk-change] Keeping two KSK keys long term

Michael StJohns msj at nthpermutation.com
Thu Oct 2 18:06:40 UTC 2014

On 10/2/2014 1:42 PM, Bolivar, Al wrote:
> I would like to add that I support the addition of another vendor.
> Tomofumi and I spoke to another vendor about introducing a competing FIPS
> 140-2 level 4 HSM. In my opinion having other choices will be positive.
> Thanks,
> Al

One of my pet peeves with the HSM vendors is that none of them provide 
more than rudimentary policy controls on the use of keys.  I keep 
waiting for someone to make an HSM that implements either  the Javacard 
Connected standards or something similar so I can define a programmatic 
policy wrapper more comprehensive than "I need a PIN to use it"  "I need 
two PINs to use it" "I need a smart card to use it" etc.  I can do this 
on a smart card, why is it so hard to do it on a big iron HSM?


More information about the ksk-rollover mailing list