[ksk-change] Keeping two KSK keys long term
Tomofumi Okubo
tomofumi.okubo at gmail.com
Thu Oct 2 18:42:35 UTC 2014
Hi Mike,
I fully agree. It would be very nice to have that flexibility.
There was an HSM (I believe IBM?) that has a programable portion that
is outside the cryptographic boundary but we wanted one that has the
authentication function within the cryptographic boundary of the HSM.
It would be nice to have an HSM that gives us more options and still
have the authentication function within the cryptographic boundary of
the HSM.
Cheers!
Tomofumi
On Thu, Oct 2, 2014 at 11:06 AM, Michael StJohns <msj at nthpermutation.com> wrote:
> On 10/2/2014 1:42 PM, Bolivar, Al wrote:
>>
>> I would like to add that I support the addition of another vendor.
>> Tomofumi and I spoke to another vendor about introducing a competing FIPS
>> 140-2 level 4 HSM. In my opinion having other choices will be positive.
>>
>> Thanks,
>>
>> Al
>
>
> One of my pet peeves with the HSM vendors is that none of them provide more
> than rudimentary policy controls on the use of keys. I keep waiting for
> someone to make an HSM that implements either the Javacard Connected
> standards or something similar so I can define a programmatic policy wrapper
> more comprehensive than "I need a PIN to use it" "I need two PINs to use
> it" "I need a smart card to use it" etc. I can do this on a smart card, why
> is it so hard to do it on a big iron HSM?
>
> Mike
>
>
>
>
> _______________________________________________
> ksk-rollover mailing list
> ksk-rollover at icann.org
> https://mm.icann.org/mailman/listinfo/ksk-rollover
More information about the ksk-rollover
mailing list