[dns-operations] HSM recommendations

Warren Kumari warren at kumari.net
Wed Sep 6 14:21:55 UTC 2017


On Wed, Sep 6, 2017 at 2:27 AM, Barry O'Donovan
<barry+dnsops at islandbridgenetworks.ie> wrote:
> This looks like an interesting project but I cannot recommend or advise
> avoidance:
>
> https://cryptech.is/
> https://ripe69.ripe.net/presentations/136-141106.ripe-cryptech.pdf
>
> I'd be interested in anyone's experience / thoughts on this.
>
>

I've been somewhat involved in this project for a while, and have one
of the "CrypTech Open Hardware Security Module (Alpha Board)"
https://www.crowdsupply.com/cryptech/open-hardware-security-module --
it is very cool.

This isn't (really) intended to be a fully implemented product which
you can buy and deploy - rather it is a reference implementation so
that someone can take this and implement their own HSM.
Currently there are a fairly small number of commercial HSM vendors --
do you trust them? If so, *why* do you trust them? In light of things
like Dual_EC_DRBG, Crypto AG machines (etc), do you still completely
trust them?

The cryptech project is very much designed to be open (so that you can
build your own / verify what was built), and to not rely on crypto
magic provided by others. You might not need this level of tinfoil /
your threat model might differ, but it's a fascinating project, I
encourage people to look into it and get involved.

W

> Also the new emergence of cloud based services:
> https://aws.amazon.com/cloudhsm/
>
>  - Barry
>
>
>> Bill Woodcock wrote:
>>>> On Sep 5, 2017, at 12:25 PM, Brett <brettcarr at gmail.com> wrote:
>>>>
>>>> It's been a long time since I looked at HSM's (my previous
>>>> experience is with Sun (PCI) and Thales (Network), but this was
>>>> all a few years ago now. What is popular these days and is there
>>>> any that anyone would particularly avoid or recommend.
>>> We have a fleet of AEP Keypers, which we’ve been extraordinarily
>>> happy with.  They’ve worked exactly as advertised, without any
>>> hiccups, and AEP’s support has been outstanding, when we’ve wanted
>>> to do things outside-of-the-ordinary.  I think we’re signing ~100
>>> TLDs with them, been using them for about six years, just finished
>>> a rotation out for their routine-service and battery replacement,
>>> all of which went smoothly.
>>>
>>> -Bill
>>>
>>>
>>>
>>>
>>>
>>>
>>> _______________________________________________ dns-operations
>>> mailing list dns-operations at lists.dns-oarc.net
>>> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
>>> dns-operations mailing list
>>> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
> dns-operations mailing list
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations



-- 
I don't think the execution is relevant when it was obviously a bad
idea in the first place.
This is like putting rabid weasels in your pants, and later expressing
regret at having chosen those particular rabid weasels and that pair
of pants.
   ---maf




More information about the dns-operations mailing list