Skip to Content.
Sympa Menu

edugain-discuss - RE: [eduGAIN-discuss] HSM use cases

edugain-discuss AT lists.geant.org

Subject: An open discussion list for topics related to the eduGAIN interfederation service.

List archive

RE: [eduGAIN-discuss] HSM use cases


Chronological Thread 
  • From: Alan Lewis <alan.lewis AT geant.org>
  • To: Guy Halse <guy AT tenet.ac.za>, "edugain-discuss AT lists.geant.org" <edugain-discuss AT lists.geant.org>
  • Subject: RE: [eduGAIN-discuss] HSM use cases
  • Date: Thu, 28 Mar 2019 09:20:40 +0000
  • Accept-language: en-GB, en-US
  • Authentication-results: spf=none (sender IP is ) smtp.mailfrom=alan.lewis AT geant.org;

Hello Guy,

 

Thanks for the feedback.

Some comments below.

 

Best regards

 

Alan

 

Alan Lewis

Trust and Identity Services Product Manager

 

GÉANT
Direct Tel: +44 (0)1223 371409

Mobile: +44 (0) 7500 891616

Switchboard: +44 (0)1223 371300

Networks • Services • People 

Learn more at www.geant.org​

GÉANT Vereniging (Association) is registered with the Chamber of Commerce in Amsterdam with registration number 40535155 and operates in the UK as a branch of GÉANT Vereniging. Registered office: Hoekenrode 3, 1102BR Amsterdam, The Netherlands. UK branch address: City House, 126-130 Hills Road, Cambridge CB2 1PQ, UK.

 

From: Guy Halse <guy AT tenet.ac.za>
Sent: 28 March 2019 08:27
To: Alan Lewis <alan.lewis AT geant.org>; edugain-discuss AT lists.geant.org
Subject: Re: [eduGAIN-discuss] HSM use cases

 

Hi

Peter's covered a lot of the federation related stuff.

On 2019/03/19 18:44, Alan Lewis wrote:

Specific HSM requirements for

    1. Management, connectivity and access mechanisms;

    One thing that is (probably obviously) important is the ability to create secure backups for DR purposes.

    In the USB smartcard world (where the HSMs are cheap), a useful feature is the ability to securely replicate the key to another HSM. A simple way of achieving this is to generate the key out of the HSM and then import it into multiple ones, with the proviso that they can then be marked non-exportable per Shannon Roddy's mail. But some of the USB versions have somewhat cleverer ways to do this. If the Cryptech price point ends up being in the same ballpark as the USB-based ones, then having those sorts of DR abilities would be useful.

    >> Yes I agree that generating the keys outside the HSM has benefits in terms of key backup and recovery. The key thing is that the process for doing this is itself secure. I >>don’t know what mechanisms the USB tokens have to do this, so it would be useful to take a look if you can point me at any examples. I take your point that given this >>feature could be available on the Cryptech device at a similar price point to the USB token it could be attractive.



    On 2019/03/26 20:27, Peter Schober wrote:

    A few federations have deployed NetHSMs (I know about ~3), others may
    be using smartcard-based HSMs (maybe 3-6?), the large majority
    (eduGAIN currently has 60 member federations) probably still signing
    with software-based keys?
    I'm not aware we've asked federations to disclose this information yet.

    FWIW we're one of the ones using a smartcard-based HSM, specifically the Nitrokey HSM.

    >> Right. I’ll take a look at this device. I’m not familiar with its capabilities.




    b. Cryptographic algorithm support;
    Today pretty much only RSA with SHA2 based hashes is being used, AFAIK.
    I'll leave that to others.

    There are a number of people keeping half an eye on ECC too, and certainly if I was deploying something new, I'd like to see support for common EC primes that are likely to become significant over the next ~ 10 years.

    >>Noted. That would be my thought also. ECC is already widely used in other markets and I would expect it to be important within the community also.



    - Guy

    --

    Guy Halse
    Director Trust & Identity

    Tertiary Education & Research Network of South Africa NPC

    Fault Reporting: +27(21)763-7147 or support AT tenet.ac.za
    Office: +27(21)763-7102
    http://www.tenet.ac.za/contact
    ORCID                       iDhttps://orcid.org/0000-0002-9388-8592

     

    Attachment: smime.p7s
    Description: S/MIME cryptographic signature




    Archive powered by MHonArc 2.6.19.

    Top of Page