[dns-operations] OpenHardware FPGA-based HSM SCA6000 with OpenSSL?

Robert Kisteleki robert at ripe.net
Mon Oct 15 18:10:48 UTC 2012

On 2012.10.15. 19:09, Miek Gieben wrote:
> [ Quoting <gall at switch.ch> in "Re: [dns-operations] OpenHardware F..."
> ]
>> On Mon, 15 Oct 2012 09:13:45 -0700, Paul Hoffman
>> <paul.hoffman at vpnc.org> said:
>>> On Oct 15, 2012, at 7:39 AM, Alexander Gall <gall at switch.ch>
>>> wrote:
>>>> A hardware HSM allows you to detect when your keys get stolen 
>>>> (provided the hardware does not implement extraction of the keys,
>>>> of course).  In our case, this is the *only* reason we use a HSM
>>>> at all.
>>> A properly-designed software-based HSM in a tamper-evident box
>>> would have the same property.
>> Of course.  I'm not sure if that was what Miek implied in his 
>> question, though.  If it was, my point is obviously moot.
> Well, I'm not sure :) I was thinking that making your own hardware
> might be a step to far and was interested in the reasons for doing so.
> Hence my question.
> Making a tamper-evident box with SoftHSM is (I think) much easier to
> do, more scalable and done quicker.

Right. I think that one question has not been asked so far: why? What's
the real benefit that you'd get out of this?

Also consider (and try to estimate the cost of) the effort you'd need to
put in to make this "right", whatever that means.


More information about the dns-operations mailing list