[ksk-change] FIPS-140 levels

[Tomofumi Okubo]

Hello Paul,

Thanks for your reply.

On Mon, Oct 6, 2014 at 7:38 AM, Paul Hoffman <paul.hoffman at vpnc.org> wrote:
> On Oct 5, 2014, at 10:37 PM, Tomofumi Okubo <tomofumi.okubo at gmail.com> wrote:
>
> Yes, and none of those are of concern *in IANA's operating environment*, correct? If anyone has unauthorized physical access to the HSM, IANA will invalidate the key and use a new one, right?

Yes, that's right but that is if the other security controls
successfully detects the compromise.
The mechanism on the HSM will be the last line of defense if the other
security controls fail for some reason. This is why in the ICANN
definition, HSM is labelled as Tier 7.


> This is the crux of my point: if IANA has processes that are more stringent than those provided by Levels 2 through 4, then all you get from insisting on higher-than-Level-1 is restrictions on cryptography and restriction of choice of models.

I still think level 1 HSMs are not suitable for mission critical
operations like Root DNSSEC. I've never heard of a commercial CA or
banks that uses FIPS140 level 1 HSMs for their CA cert operation (not
EE).


>> This might sound weird but I'm not actually advocating for FIPS140
>> level 4 HSMs and I do like EC too.
>
> Those two do not make sense together in the current environment where we expect the CFRG to decide on new elliptic curve specifications in the coming months. No one would expect such cryptography to be available in a Level 4 HSM for many, many years. Look how little choice you have even for current ECDSA HSMs at Level 4.

I agree that we currently don't have much options and that is
definitely an issue.

I'm hoping that if the algorithms you mentioned are really going to be
the mainstream, it won't take multiple years for the HSM vendors to
incorporate them. As I mentioned on the list, we can always talk to
the HSM vendors if we come up with what we actually want.


Cheers!
Tomofumi