[ksk-change] Keeping two KSK keys long term
Michael StJohns
msj at nthpermutation.com
Fri Oct 3 16:11:44 UTC 2014
On 10/2/2014 4:01 PM, Bolivar, Al wrote:
> Mike,
>
> SafeNet is working with IBM to come up with a FIPS 140 level 4 HSM.
> I don't know what the current state of development is but do you think
> it's worth asking them if they could incorporate a trusted path
> authentication that has a bit more flexibility?
(Just for clarification are you talking FIP 140-2 level 4 or something
in the "maybe soon to be published FIPS 140-4" standard?)
The idea of a more flexible authentication system is a good start. But
what I'm really thinking needs to happen is a system that supports
expressing policy more like:
* A CA key that will only sign properly formatted X.509 certificates
and ensures that the signed certificate has a unique serial number
and has appropriate validity info, and infrastructure extensions
(e.g. SKI extension, AKI extension, appropriate policy bits) -
things that are normally enforced outside the HSM boundary these days.
* A wrapping key that can wrap and unwrap AES Key Wrap mode material
where the material has its own set of attached policy bits (e.g. a
secret key which can only be used for KDFs) and protect that
unwrapped key appropriately.
* A signing key that will only sign a properly formatted DNSKEY RRSet
and only if it sees that N other known keys have signed it.
* A system that ensures the data that the remote signers agreed could
be signed is actually the data signed.
* A more comprehensive set of threshold key systems (e.g. Shamir's
plus others) both for partial signatures and for information
retrieval/escrow (think of taking Shoup's scheme that I mentioned
and publish the public key - data could be encrypted using that key,
but N of K private key holders would need to come together to
retrieve that encrypted data -think further about that with respect
to backup key generation)
I mentioned Javacard Connected as there's a lot of experience with
similar things in smart cards. I can't quite figure out why I can't buy
an HSM that does what a smart card can be programmed to do.
Mike
>
> The worst thing that could happen is they say no.
>
>
>
> Thanks,
>
> Al
>
>
>
>
>
> On 10/2/14, 2:06 PM, "Michael StJohns" <msj at nthpermutation.com> wrote:
>
>> On 10/2/2014 1:42 PM, Bolivar, Al wrote:
>>> I would like to add that I support the addition of another vendor.
>>> Tomofumi and I spoke to another vendor about introducing a competing
>>> FIPS
>>> 140-2 level 4 HSM. In my opinion having other choices will be positive.
>>>
>>> Thanks,
>>>
>>> Al
>> One of my pet peeves with the HSM vendors is that none of them provide
>> more than rudimentary policy controls on the use of keys. I keep
>> waiting for someone to make an HSM that implements either the Javacard
>> Connected standards or something similar so I can define a programmatic
>> policy wrapper more comprehensive than "I need a PIN to use it" "I need
>> two PINs to use it" "I need a smart card to use it" etc. I can do this
>> on a smart card, why is it so hard to do it on a big iron HSM?
>>
>> Mike
>>
>>
>>
>> _______________________________________________
>> ksk-rollover mailing list
>> ksk-rollover at icann.org
>> https://mm.icann.org/mailman/listinfo/ksk-rollover
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/ksk-rollover/attachments/20141003/ed4837c3/attachment.html>
More information about the ksk-rollover
mailing list