[Cscwg-public] Consider PCI-HSM certification for Code signing HSMs
Richard Kisley
kisley at us.ibm.com
Tue Jan 9 13:20:20 UTC 2024
Hi Dean,
Yes, and now I need to figure out how Outlook dropped the meeting. I’m sure it is my fault somewhere…
Richard Kisley
____________________________________________________________________
Firmware & Security Architect,
IBM Senior Technical Staff Member, Master Inventor
Payment Card Industry Professional (PCIP)
IBM Cryptographic Technology Development http://www.ibm.com/security/cryptocards/
kisley at us.ibm.com<mailto:kisley at us.ibm.com>
From: Dean Coclin <dean.coclin at digicert.com>
Date: Monday, January 8, 2024 at 5:53 PM
To: Richard Kisley <kisley at us.ibm.com>, cscwg-public at cabforum.org <cscwg-public at cabforum.org>
Subject: [EXTERNAL] RE: Consider PCI-HSM certification for Code signing HSMs
Richard,
Should we add this to the agenda for this week’s call?
Thanks
Dean
Dean Coclin
Sr. Director Business Development
M 1.781.789.8686
[cid:image001.jpg at 01DA425B.5E7C9110]
From: Cscwg-public <cscwg-public-bounces at cabforum.org> On Behalf Of Richard Kisley via Cscwg-public
Sent: Tuesday, January 2, 2024 5:31 PM
To: cscwg-public at cabforum.org
Subject: [Cscwg-public] Consider PCI-HSM certification for Code signing HSMs
Hi,
Thank you for the opportunity to discuss this topic. My apologies for not sending this sooner, EOY work (day job) and the holidays took over my time.
My AOB question on 12/14 was: ‘would the group consider adding PCI HSM as an acceptable certification for Code Signing workloads?’
Please find attached the PCI HSM v4 pdf from the PCI SSC documents page (https://www.pcisecuritystandards.org/document_library/<https://url.avanan.click/v2/___https:/www.pcisecuritystandards.org/document_library/___.YXAzOmRpZ2ljZXJ0OmE6bzozZGY5OGQ5NmZiZTQwNzMwYTBjZTBjYTNhY2M1NWQxMTo2OmEwZGI6ODc2MzRlMWNhZDNmYmQ5MTI3OWVmMjkwYTE5ZDc2NGU3ODQ4NDhjZmQ4Mjc1OTBmYWY1ZDdkMzdkYmUzYjQ5YjpoOkY>, filter by ‘PTS’). Note that in this location you have also the ‘FAQs’, which “enhance” understanding of various topics.
My reasons for suggesting this:
1. PCI (PTS) HSM is a robust program for HSM evaluation in the payment security space.
2. The financial services world, while having some unique requirements (in particular for PKI), is in my opinion not so different for overall device validation
3. FIPS 140-3 & FIPS 140-2 (now closed) CMVP programs have a long queue that is delaying products by well over a year
4. CC, while valuable in many markets, is not universal
5. Adding PCI-HSM closes the loop across the main HSM evaluation regimes
Thanks,
Richard Kisley
____________________________________________________________________
Firmware & Security Architect,
IBM Senior Technical Staff Member, Master Inventor
Payment Card Industry Professional (PCIP)
IBM Cryptographic Technology Development http://www.ibm.com/security/cryptocards/<https://url.avanan.click/v2/___http:/www.ibm.com/security/cryptocards/___.YXAzOmRpZ2ljZXJ0OmE6bzozZGY5OGQ5NmZiZTQwNzMwYTBjZTBjYTNhY2M1NWQxMTo2OjdkNzg6ODlhM2QyN2RlMzg4NGRiMzVhYTg2NzkyNGI5ODk5MDVkZjgwMmRkM2I4NGQ0YzY4NGYzZDI4MDQxZTEyZmIwOTpoOkY>
kisley at us.ibm.com<mailto:kisley at us.ibm.com>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/cscwg-public/attachments/20240109/90f200f5/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.jpg
Type: image/jpeg
Size: 23699 bytes
Desc: image001.jpg
URL: <http://lists.cabforum.org/pipermail/cscwg-public/attachments/20240109/90f200f5/attachment-0001.jpg>
More information about the Cscwg-public
mailing list