[dns-operations] HSM recommendations

George Michaelson ggm at algebras.org
Thu Sep 7 23:35:36 UTC 2017


Others may have said, will say this better, but a long-term issue to
keep aware of, is that most HSM I've interacted with offer 'not beyond
the grandparent' rules: you can move tokens, devices across the
generation but only within the child-parent-grandparent space or maybe
even less.

Old keystore hardware doesn't fit in new keystore slots, but its not
just electromechanical. I can't decide if this is a sell thing, or a
risk thing.

If you spec, buy and operate a LUNA a certain way, you never get key
export to another family of HSM. Its factory set, so you have to say
in advance you want key wrap/export feature. Wipe mandatory.

-G

On Thu, Sep 7, 2017 at 11:32 PM, Rubens Kuhl <rubensk at nic.br> wrote:
>
> On Sep 5, 2017, at 4:25 PM, Brett <brettcarr at gmail.com> wrote:
>
> It's been a long time since I looked at HSM's (my previous experience
> is with Sun (PCI) and Thales (Network), but this was all a few years
> ago now. What is popular these days and is there any that anyone would
> particularly avoid or recommend.
>
>
>
> I wouldn't say it's popular, but keeps the TLD I work for happy:
> https://www.kryptus.com/en-home
>
>
>
> Rubens
>
>
>
>
>
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
> dns-operations mailing list
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations



More information about the dns-operations mailing list