Skip to Content.
Sympa Menu

edugain-discuss - Re: [eduGAIN-discuss] HSM use cases

edugain-discuss AT lists.geant.org

Subject: An open discussion list for topics related to the eduGAIN interfederation service.

List archive

Re: [eduGAIN-discuss] HSM use cases


Chronological Thread 
  • From: Guy Halse <guy AT tenet.ac.za>
  • To: Alan Lewis <alan.lewis AT geant.org>, "edugain-discuss AT lists.geant.org" <edugain-discuss AT lists.geant.org>
  • Subject: Re: [eduGAIN-discuss] HSM use cases
  • Date: Thu, 28 Mar 2019 10:27:23 +0200
  • Organization: Tertiary Education & Research Network of South Africa NPC

Hi

Peter's covered a lot of the federation related stuff.

On 2019/03/19 18:44, Alan Lewis wrote:
Specific HSM requirements for
Management, connectivity and access mechanisms;
One thing that is (probably obviously) important is the ability to create secure backups for DR purposes.

In the USB smartcard world (where the HSMs are cheap), a useful feature is the ability to securely replicate the key to another HSM. A simple way of achieving this is to generate the key out of the HSM and then import it into multiple ones, with the proviso that they can then be marked non-exportable per Shannon Roddy's mail. But some of the USB versions have somewhat cleverer ways to do this. If the Cryptech price point ends up being in the same ballpark as the USB-based ones, then having those sorts of DR abilities would be useful.


On 2019/03/26 20:27, Peter Schober wrote:
A few federations have deployed NetHSMs (I know about ~3), others may
be using smartcard-based HSMs (maybe 3-6?), the large majority
(eduGAIN currently has 60 member federations) probably still signing
with software-based keys?
I'm not aware we've asked federations to disclose this information yet.
FWIW we're one of the ones using a smartcard-based HSM, specifically the Nitrokey HSM.

b.	Cryptographic algorithm support;
Today pretty much only RSA with SHA2 based hashes is being used, AFAIK.
I'll leave that to others.
There are a number of people keeping half an eye on ECC too, and certainly if I was deploying something new, I'd like to see support for common EC primes that are likely to become significant over the next ~ 10 years.

- Guy
--
Guy Halse
Director Trust & Identity Tertiary Education & Research Network of South Africa NPC Fault Reporting: +27(21)763-7147 or support AT tenet.ac.za
Office: +27(21)763-7102
http://www.tenet.ac.za/contact
https://orcid.org/0000-0002-9388-8592

PNG image

PNG image

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature




Archive powered by MHonArc 2.6.19.

Top of Page