An open discussion list for topics related to the eduGAIN interfederation service.

[Alan Lewis <alan.lewis AT geant.org>]

Hello Shannon,

Thanks for your speedy response.
Comments and some further questions below.

Best regards

Alan

Alan Lewis
Trust and Identity Services Product Manager

GÉANT 
Direct Tel: +44 (0)1223 371409
Mobile: +44 (0) 7500 891616
Switchboard: +44 (0)1223 371300
Networks • Services • People 
Learn more at www.geant.org​
​
GÉANT Vereniging (Association) is registered with the Chamber of Commerce in 
Amsterdam with registration number 40535155 and operates in the UK as a 
branch of GÉANT Vereniging. Registered office: Hoekenrode 3, 1102BR 
Amsterdam, The Netherlands. UK branch address: City House, 126-130 Hills 
Road, Cambridge CB2 1PQ, UK.

-----Original Message-----
From: edugain-discuss-request AT lists.geant.org 
<edugain-discuss-request AT lists.geant.org> On Behalf Of Shannon Roddy
Sent: 26 March 2019 21:26
To: edugain-discuss AT lists.geant.org
Subject: Re: [eduGAIN-discuss] HSM use cases



On 3/19/19 12:44 PM, Alan Lewis wrote:

>  5. Specific HSM requirements for
>      3. Management, connectivity and access mechanisms;

One thing to pay attention to is key management.

Ability to flag a key as non-exportable (if generated outside of the
HSM) or ability to generate a non-exportable key.  If the key is generated on 
the HSM, and is marked non-exportable, in most cases you are then locked into 
that particular HSM solution/vendor.  If the key is generated off-HSM and not 
able to be marked as non-exportable, one should come up with compensating 
controls to prevent export of the key.

>>That is a very good point. As well as being locked into the vendor there 
>>are other issues as well. The key is inextricably linked to so that if the 
>>HSM is disabled the key >>itself is destroyed and new keys must be 
>>provisioned. If the key is exportable (or as you say generated off the HSM) 
>>then a sufficient mature approach must be in place >>to backup and restore 
>>the keys. In my experience such key management is non-trivial.

Ability to do quorum operations becomes useful in the above case.  E.g.
multiple parties need to approve certain operations (e.g. key export, user 
management).
>>Agreed. Some mechanism to provide key fragmentation allowing quorum 
>>operations linked to specific access privileges would be very useful.

>>How important are the requirements above given the nature of the 
>>information being protected? Perhaps this wold be an 'essential' 
>>requirement for some use cases >>(such as to protect the trust fabric of 
>>eduGAIN), whereas for other services it might be a nice to have.  
>>Would such requirements be minimised if the HSM capability was delivered as 
>>a service from a secure central location rather than a variety of 
>>on-premise devices?



-Shannon

Attachment: smime.p7s
Description: S/MIME cryptographic signature