[ksk-change] Keeping two KSK keys long term

Bolivar, Al abolivar at verisign.com
Thu Oct 2 20:01:27 UTC 2014


SafeNet is working with IBM to come up with a FIPS 140 level 4 HSM.
I don't know what the current state of development is but do you think
it's worth asking them if they could incorporate a trusted path
authentication that has a bit more flexibility?

The worst thing that could happen is they say no.



On 10/2/14, 2:06 PM, "Michael StJohns" <msj at nthpermutation.com> wrote:

>On 10/2/2014 1:42 PM, Bolivar, Al wrote:
>> I would like to add that I support the addition of another vendor.
>> Tomofumi and I spoke to another vendor about introducing a competing
>> 140-2 level 4 HSM. In my opinion having other choices will be positive.
>> Thanks,
>> Al
>One of my pet peeves with the HSM vendors is that none of them provide
>more than rudimentary policy controls on the use of keys.  I keep
>waiting for someone to make an HSM that implements either  the Javacard
>Connected standards or something similar so I can define a programmatic
>policy wrapper more comprehensive than "I need a PIN to use it"  "I need
>two PINs to use it" "I need a smart card to use it" etc.  I can do this
>on a smart card, why is it so hard to do it on a big iron HSM?
>ksk-rollover mailing list
>ksk-rollover at icann.org

More information about the ksk-rollover mailing list