[dns-operations] Summary: Anyone still using a Sun/Oracle SCA6000 with OpenSSL?

Luis Diego Espinoza S. lespinoz at nic.cr
Mon Oct 15 18:33:20 UTC 2012


Be trustee is a key to use HSM or hardware encryption. And because we are running a critical Internet infrastructure, I think should be the way, be trustee.

We are using TPM (mentioned by Richard Lamb), a very low cost hardware encryption implementation.

Count with me in the initiative too.

Luis


On Oct 15, 2012, at 12:36 PM, Alexander Gall <gall at switch.ch> wrote:

> On Mon, 15 Oct 2012 05:55:16 -1000, Randy Bush <randy at psg.com> said:
> 
>>> A hardware HSM allows you to detect when your keys get stolen
>>> (provided the hardware does not implement extraction of the keys, of
>>> course).  In our case, this is the *only* reason we use a HSM at all.
> 
>> i keep wondering about the use of hsms in dnssec and rpki signing.  i
>> suspect that the threat model is not well thought out.
> 
> Probably.  We don't use a HSM for our non-TLD DNSSEC-enabled zones.
> For our TLD, we see this single benefit (which we wouldn't lose sleep
> over if we didn't have it and, apparently, may no longer be entierly
> true according to another message in this thread) and the rest is
> basically security theatre (it sounds professional and convinces our
> regulator that we're top notch etc.).  We don't use the HSM to
> generate keys and we have an encrypted online copy of all keys so we
> can switch off the HSM at any time on our signing system.
> 
> I wonder what other operator's reasons for using a HSM with DNSSEC are
> (security-relevant, not performance-relevant).
> 
> -- 
> Alex
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
> dns-jobs mailing list
> https://lists.dns-oarc.net/mailman/listinfo/dns-jobs


Luis D. Espinoza
CTO - NIC Costa Rica



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20121015/087c6820/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: firmasNicLDE-EN.jpg
Type: image/jpeg
Size: 63826 bytes
Desc: not available
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20121015/087c6820/attachment.jpg>


More information about the dns-operations mailing list