[ksk-change] FIPS-140 levels

Paul Hoffman paul.hoffman at vpnc.org
Sat Oct 4 00:43:32 UTC 2014

On Oct 2, 2014, at 10:42 AM, Bolivar, Al <abolivar at verisign.com> wrote:

> I would like to add that I support the addition of another vendor.
> Tomofumi and I spoke to another vendor about introducing a competing FIPS
> 140-2 level 4 HSM. In my opinion having other choices will be positive.

As I understand it, the requirement for the FIPS 140-2 level 4 certification for HSMs in the current setup came from the US government. Under the assumption that the US government will not be putting requirements on future changes to the DNSSEC root keying, this is a good time to look at what the community wants.

The current setup has the HSM wrapped in a tamper-evident bag, in a safe, between uses, and that the uses are all viewed by lots of people and recorded on cameras. Given that, I see no advantages to FIPS-140 levels above 1. By using these processes, the DNS root key community has our own tamper evidence, our own tamper resistance, and our own access control mechanisms.

There are serious disadvantages to requiring level 4 (or even level 2 or 3) for HSMs: there are fewer vendors, and fewer models from vendors. This is going to bite us hard if we decide to start using signature algorithms other than RSA, such as elliptic curves (which are tremendously safer to use than RSA for the levels of assurance we want for the DNS root).

Even if there are vendors who have FIPS-140 level 4 HSMs for ECDSA using P256, the IETF is probably going to standardize different curve forms with different parameters in the next six months. These will come out of the TLS WG first, but the signature algorithms will probably be everywhere within a year. There will be lots of publicity for the advantages of these curves over RSA and over P256. If the DNSSEC root stays with less-safe RSA, or switches to EC P256 which has already been shown to have operational problems, because of the requirement to wait for FIPS-140 level 4 HSMs, we could lose a fair amount of the credibility that we have garnered so far.

If folks here can show that FIPS-140 level 2, 3, or 4 are valuable *in our already-existing usage environment* (our own tamper evidence, our own tamper resistance, our own administration controls), I'm all ears. If no one can, we should start talking about FIPS-140 level 1 or better for future HSMs as a way to give us more choices of vendors, models, and particularly signing algorithms.

--Paul Hoffman

More information about the ksk-rollover mailing list