[dns-operations] Summary: Anyone still using a Sun/Oracle SCA6000 with OpenSSL?

Luis Diego Espinoza S. lespinoz at nic.cr
Mon Oct 15 18:58:07 UTC 2012

Using a risk matrix, HSM respond to a mitigation in a low likelihood and low impact threat, then the investment in this mitigation should not be hight or priority.
That is one of the main reasons we decide to find an alternative solution to the HSM products on the market, but we decide to invest (time and resources) because business motivation and not because the threat.  Then, yes, it is a security theatre.

Then, in our case, the implementation of a kind of HSM respond to a mid-term of positioning strategy and to acquire experience and knowledge in a technology that could be useful in a scenario where other services can came alive (ie DANE), and we must be accredited or certified to provide that services in a professional way.


On Oct 15, 2012, at 2:37 PM, Randy Bush <randy at psg.com> wrote:

>> Be trustee is a key to use HSM or hardware encryption. And because we
>> are running a critical Internet infrastructure, I think should be the
>> way, be trustee.
> that's called security theater.  what is the threat model?  what is the
> asset you are protecting against what attack by what adversary?
> [ if the cost of the hsm is zero, it adds complexity and hence is a
>  security problem not a security solution ]
> randy

Luis D. Espinoza
Jefe TI - NIC Costa Rica

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20121015/8f54006a/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: firmasNicLDE-ES.jpg
Type: image/jpeg
Size: 60615 bytes
Desc: not available
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20121015/8f54006a/attachment.jpg>

More information about the dns-operations mailing list