edugain-discuss AT lists.geant.org
Subject: An open discussion list for topics related to the eduGAIN interfederation service.
List archive
- From: Leif Johansson <leifj AT sunet.se>
- To: edugain-discuss AT lists.geant.org
- Subject: Re: [eduGAIN-discuss] HSM use cases
- Date: Thu, 28 Mar 2019 11:28:05 +0100
On 2019-03-28 11:19, Peter Schober wrote:
> * Leif Johansson <leifj AT sunet.se> [2019-03-28 11:11]:
>> It is still a *very* common model - generate on one HSM and use on
>> another. There are several reasons you want to do stuff like this
>> beyond simple "backup" patterns.
>
> If that exists I'm certainly all for it. It's not like I *want* to own
> the processes of secure key creation when the HSM could do it (and
> hopefully with a better RNG, at least with Cryptech).
Yeah but you might want to have > 1 HSM - one you lock into a safe
where you do key generation and one where you deploy the key for
production because that may allow you to switch between multiple
generations of HSM hardware without re-generating a long-term key.
>
> The "create-outside-HSM-then-import" method is simply my workaround
> because there is no portability of key material across HSMs (except
> the backup/restore between identical models or devices from the same
> vendor), AFAIK.
> If there's a way to do that even when changing platforms I'm in!
>
Yeah pkcs11 allows you to import keys. This is exactly what I do
for my process. I generate outside my Luna cluster and import via
a p11 client and then I lock the key so it can't be re-exported.
Some of my keys are higher trust than others... they might stay
in the environment where they were generated. YMMV
> -peter
>
- RE: [eduGAIN-discuss] HSM use cases, (continued)
- RE: [eduGAIN-discuss] HSM use cases, Alan Lewis, 27-Mar-2019
- Re: [eduGAIN-discuss] HSM use cases, Peter Schober, 27-Mar-2019
- RE: [eduGAIN-discuss] HSM use cases, Alan Lewis, 27-Mar-2019
- Re: [eduGAIN-discuss] HSM use cases, Muhammad Farhan SJAUGI, 28-Mar-2019
- RE: [eduGAIN-discuss] HSM use cases, Alan Lewis, 28-Mar-2019
- Re: [eduGAIN-discuss] HSM use cases, Peter Schober, 27-Mar-2019
- Re: [eduGAIN-discuss] HSM use cases, Guy Halse, 28-Mar-2019
- RE: [eduGAIN-discuss] HSM use cases, Alan Lewis, 28-Mar-2019
- Re: [eduGAIN-discuss] HSM use cases, Peter Schober, 28-Mar-2019
- Re: [eduGAIN-discuss] HSM use cases, Leif Johansson, 28-Mar-2019
- Re: [eduGAIN-discuss] HSM use cases, Peter Schober, 28-Mar-2019
- Re: [eduGAIN-discuss] HSM use cases, Leif Johansson, 03/28/2019
- Re: [eduGAIN-discuss] HSM use cases, Peter Schober, 28-Mar-2019
- Re: [eduGAIN-discuss] HSM use cases, Leif Johansson, 28-Mar-2019
- RE: [eduGAIN-discuss] HSM use cases, Alan Lewis, 28-Mar-2019
- Re: [eduGAIN-discuss] HSM use cases, Leif Johansson, 03/28/2019
- Re: [eduGAIN-discuss] HSM use cases, Peter Schober, 28-Mar-2019
- Re: [eduGAIN-discuss] HSM use cases, Leif Johansson, 28-Mar-2019
- RE: [eduGAIN-discuss] HSM use cases, Alan Lewis, 28-Mar-2019
- Re: [eduGAIN-discuss] HSM use cases, Shannon Roddy, 28-Mar-2019
- RE: [eduGAIN-discuss] HSM use cases, Alan Lewis, 29-Mar-2019
- Re: [eduGAIN-discuss] HSM use cases, Peter Schober, 28-Mar-2019
- RE: [eduGAIN-discuss] HSM use cases, Alan Lewis, 28-Mar-2019
- RE: [eduGAIN-discuss] HSM use cases, Alan Lewis, 27-Mar-2019
- Re: [eduGAIN-discuss] HSM use cases, Joost van Dijk, 29-Mar-2019
- RE: [eduGAIN-discuss] HSM use cases, Alan Lewis, 29-Mar-2019
Archive powered by MHonArc 2.6.19.