edugain-discuss AT lists.geant.org
Subject: An open discussion list for topics related to the eduGAIN interfederation service.
List archive
- From: Alan Lewis <alan.lewis AT geant.org>
- To: Peter Schober <peter.schober AT univie.ac.at>, "edugain-discuss AT lists.geant.org" <edugain-discuss AT lists.geant.org>
- Subject: RE: [eduGAIN-discuss] HSM use cases
- Date: Thu, 28 Mar 2019 11:33:43 +0000
- Accept-language: en-GB, en-US
- Authentication-results: spf=none (sender IP is ) smtp.mailfrom=alan.lewis AT geant.org;
Hello Peter,
Thanks I agree. I'll take a look at the process.
The process could include some technical elements that support it (e.g. key
separation to support quora operations, the external generation process
itself) that improve its robustness.
Best regards
Alan
Alan Lewis
Trust and Identity Services Product Manager
GÉANT
Direct Tel: +44 (0)1223 371409
Mobile: +44 (0) 7500 891616
Switchboard: +44 (0)1223 371300
Networks • Services • People
Learn more at www.geant.org
GÉANT Vereniging (Association) is registered with the Chamber of Commerce in
Amsterdam with registration number 40535155 and operates in the UK as a
branch of GÉANT Vereniging. Registered office: Hoekenrode 3, 1102BR
Amsterdam, The Netherlands. UK branch address: City House, 126-130 Hills
Road, Cambridge CB2 1PQ, UK.
-----Original Message-----
From: edugain-discuss-request AT lists.geant.org
<edugain-discuss-request AT lists.geant.org> On Behalf Of Peter Schober
Sent: 28 March 2019 09:33
To: edugain-discuss AT lists.geant.org
Subject: Re: [eduGAIN-discuss] HSM use cases
* Alan Lewis <alan.lewis AT geant.org> [2019-03-28 10:21]:
> Yes I agree that generating the keys outside the HSM has benefits in
> terms of key backup and recovery. The key thing is that the process
> for doing this is itself secure. I don’t know what mechanisms the USB
> tokens have to do this, so it would be useful to take a look if you
> can point me at any examples.
I think the point he (and Shannon and myself) was making is that if you
generate key material outside the HSM by defintion the HSM can do nothing for
you to make this (more) secure, i.e., it's all in your own processes.
FWIW, here are Guy's notes for provisioning the Nitrokey "HSM" model:
https://safire.ac.za/wp-content/uploads/2017/02/NitrokeyHSMPrepNotes.pdf
-peter
Attachment:
smime.p7s
Description: S/MIME cryptographic signature
- RE: [eduGAIN-discuss] HSM use cases, (continued)
- RE: [eduGAIN-discuss] HSM use cases, Alan Lewis, 28-Mar-2019
- Re: [eduGAIN-discuss] HSM use cases, Guy Halse, 28-Mar-2019
- RE: [eduGAIN-discuss] HSM use cases, Alan Lewis, 28-Mar-2019
- Re: [eduGAIN-discuss] HSM use cases, Peter Schober, 28-Mar-2019
- Re: [eduGAIN-discuss] HSM use cases, Leif Johansson, 28-Mar-2019
- Re: [eduGAIN-discuss] HSM use cases, Peter Schober, 28-Mar-2019
- Re: [eduGAIN-discuss] HSM use cases, Leif Johansson, 28-Mar-2019
- Re: [eduGAIN-discuss] HSM use cases, Peter Schober, 28-Mar-2019
- Re: [eduGAIN-discuss] HSM use cases, Leif Johansson, 28-Mar-2019
- RE: [eduGAIN-discuss] HSM use cases, Alan Lewis, 28-Mar-2019
- Re: [eduGAIN-discuss] HSM use cases, Leif Johansson, 28-Mar-2019
- Re: [eduGAIN-discuss] HSM use cases, Peter Schober, 28-Mar-2019
- Re: [eduGAIN-discuss] HSM use cases, Leif Johansson, 28-Mar-2019
- RE: [eduGAIN-discuss] HSM use cases, Alan Lewis, 03/28/2019
- Re: [eduGAIN-discuss] HSM use cases, Shannon Roddy, 28-Mar-2019
- RE: [eduGAIN-discuss] HSM use cases, Alan Lewis, 29-Mar-2019
- Re: [eduGAIN-discuss] HSM use cases, Peter Schober, 28-Mar-2019
- RE: [eduGAIN-discuss] HSM use cases, Alan Lewis, 28-Mar-2019
- Re: [eduGAIN-discuss] HSM use cases, Joost van Dijk, 29-Mar-2019
- RE: [eduGAIN-discuss] HSM use cases, Alan Lewis, 29-Mar-2019
Archive powered by MHonArc 2.6.19.