<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1">
<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta name=Generator content="Microsoft Word 15 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
{font-family:Wingdings;
panose-1:5 0 0 0 0 0 0 0 0 0;}
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman",serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:#954F72;
text-decoration:underline;}
p
{mso-style-priority:99;
mso-margin-top-alt:auto;
margin-right:0cm;
mso-margin-bottom-alt:auto;
margin-left:0cm;
font-size:12.0pt;
font-family:"Times New Roman",serif;}
p.msonormal0, li.msonormal0, div.msonormal0
{mso-style-name:msonormal;
mso-style-priority:99;
mso-margin-top-alt:auto;
margin-right:0cm;
mso-margin-bottom-alt:auto;
margin-left:0cm;
font-size:12.0pt;
font-family:"Times New Roman",serif;}
span.EmailStyle19
{mso-style-type:personal;
font-family:"Calibri",sans-serif;
color:#1F497D;}
span.EmailStyle20
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:70.85pt 3.0cm 70.85pt 3.0cm;}
div.WordSection1
{page:WordSection1;}
/* List Definitions */
@list l0
{mso-list-id:704713374;
mso-list-template-ids:-810775608;}
@list l0:level1
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:36.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l0:level2
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:72.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:"Courier New";
mso-bidi-font-family:"Times New Roman";}
@list l0:level3
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:108.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l0:level4
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:144.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l0:level5
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:180.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l0:level6
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:216.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l0:level7
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:252.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l0:level8
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:288.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l0:level9
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:324.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l1
{mso-list-id:2078238963;
mso-list-template-ids:-280958866;}
@list l1:level1
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:36.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l1:level2
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:72.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:"Courier New";
mso-bidi-font-family:"Times New Roman";}
@list l1:level3
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:108.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l1:level4
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:144.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l1:level5
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:180.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l1:level6
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:216.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l1:level7
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:252.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l1:level8
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:288.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l1:level9
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:324.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
ol
{margin-bottom:0cm;}
ul
{margin-bottom:0cm;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body lang=ES link="#0563C1" vlink="#954F72"><div class=WordSection1><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D;mso-fareast-language:EN-US'>Correct Adriano. The ones I´ve listed in the other email are CC or/and FIPS certified and in the features some list the certification of the hardware and the software and not all are on the same level or only one of the two. But it´s true, that we´d need to clarify what kind of certification we´re looking for. We could stick to the point that the device, that is the hardware itself, is listed as CC or FIPS and show auditors the certificates. Or just the OS. If we´re going to the point to distinguish what part is certified and require it then it would be a problem if we have to differentiate from hardw and softw, which one is best, or remove some possible suppliers from the list, so I´d leave it as much open possible but clearly indicating what we require. <o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D;mso-fareast-language:EN-US'><o:p> </o:p></span></p><div style='border:none;border-left:solid blue 1.5pt;padding:0cm 0cm 0cm 4.0pt'><div><div style='border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0cm 0cm 0cm'><p class=MsoNormal><b><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri",sans-serif'>From:</span></b><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri",sans-serif'> Adriano Santoni <adriano.santoni@staff.aruba.it> <br><b>Sent:</b> viernes, 26 de marzo de 2021 14:26<br><b>To:</b> Inigo Barreira <Inigo.Barreira@sectigo.com>; cscwg-public@cabforum.org<br><b>Subject:</b> Re: [Cscwg-public] Re FIPS tokens supporting RSA 3072<o:p></o:p></span></p></div></div><p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p><p><span style='font-family:"Calibri",sans-serif'>Hi Inigo,</span><o:p></o:p></p><p><span style='font-family:"Calibri",sans-serif'>I also am aware of 4-5 suppliers of USB crypto tokens supporting RSA 3072, regardless of FIPS or CC. That is not the problem I raised.</span><o:p></o:p></p><p><span style='font-family:"Calibri",sans-serif'>My concern is that §16.3, point 2, of the CSBR is ambiguous (to me) as to what is supposed to be "certified" (either FIPS or CC):</span><o:p></o:p></p><blockquote style='margin-top:5.0pt;margin-bottom:5.0pt'><p class=MsoNormal><span style='font-family:"Calibri",sans-serif'>A hardware crypto module with a unit design form factor certified as conforming to at least FIPS 140 Level 2, Common Criteria EAL 4+<s>, or equivalent</s>. <o:p></o:p></span></p></blockquote><p><span style='font-family:"Calibri",sans-serif'>This is likely my fault, but I am not clear what "unit design form factor" exactly means, and I would appreciate very much anybody pointing me to any FIPS or CC certification reports wherein this term is used. </span><o:p></o:p></p><p><span style='font-family:"Calibri",sans-serif'>As far as I know, a "form factor" is the particular design, shape, assembly and wiring of a functionally self-contained electronic component, such as a PCB including microchip(s) and other auxiliary components.</span><o:p></o:p></p><p><span style='font-family:"Calibri",sans-serif'>A crypto device is like an onion, being comprised of:</span><o:p></o:p></p><ul type=disc><li class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l0 level1 lfo1'><b><span style='font-family:"Calibri",sans-serif'>hardware platform</span></b><span style='font-family:"Calibri",sans-serif'> (a microcontroller, tipically including a crypto co-processor);</span><o:p></o:p></li><li class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l0 level1 lfo1'><b><span style='font-family:"Calibri",sans-serif'>card operating system</span></b><span style='font-family:"Calibri",sans-serif'> (COS), which can either be either mono- or multi-application (e.g. Javacard); </span><o:p></o:p></li><li class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l0 level1 lfo1'><span style='font-family:"Calibri",sans-serif'>where applicable, an <b>applet</b>. If the COS is multi-application, a suitable PKI application (mostly referred to as "applet") must be installed into the chip at the production plant, for the device to be usable. A multi-app COS, such as the Javacard platform, does not expose by itself any crypto and key management functionalities in a way that's usable by the host: a suitable Java applet is needed, supporting specific commands (APDUs), a specific file system, specific PKCS11/CSP object attributes, enforcing a specific set of security principles, etc.</span><o:p></o:p></li><li class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l0 level1 lfo1'><span style='font-family:"Calibri",sans-serif'>a case with I/O and power supply contacts</span><o:p></o:p></li></ul><p><span style='font-family:"Calibri",sans-serif'>Where the device is Javacard based, the security of the whole device critically depends on the design of the PKI applet, that's why Javacard-based devices designed for specific usages (e..g. digital signatures) always require this applet to be certified as well (not just the COS). Would we be happy to use a Javacard-based device running an applet that nobody has ever verified to be actually secure? Of course we may, if that's what the WG believes to be the way to go.</span><o:p></o:p></p><p><span style='font-family:"Calibri",sans-serif'>But what does it mean for the "hardware crypto module" to be either FIPS or CC certified ? Does it mean that at least the hardware platform (the microchip) must be certified? In this case we have plenty microchips on the market meeting this requirement. Does it mean that the COS must (also) be certified? In this case we have a lesser number of suitable choices, but still comfortable. Or, does it mean that the applet must (also) be certified? In this case, we have a very small choice, to date.</span><o:p></o:p></p><p><span style='font-family:"Calibri",sans-serif'>My understanding from the last CSWG call, is that some of the WG members believe it to be sufficient that the COS be certified (or even just the HW?). IMO, this is not clear from the current CSBR language. I would suggest to drop the "unit design form factor" term, and specify instead that the hardware crypto module must be based on a FIPS or CC certified COS (if this is the desired interpretation). Let me clarify that I would not object to this choice, if the WG believes is the right one. </span><o:p></o:p></p><p><span style='font-family:"Calibri",sans-serif'>I am not trying to play the "purist", just trying to raise attention and get explanations on some aspects that are not clear to me at this time.</span><o:p></o:p></p><p><span style='font-family:"Calibri",sans-serif'>How about adding to the CSBR the definitions of these two terms in section 4 ?</span><o:p></o:p></p><ul type=disc><li class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l1 level1 lfo2'>hardware crypto module<o:p></o:p></li><li class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l1 level1 lfo2'><span style='font-family:"Calibri",sans-serif'>unit design form factor</span><o:p></o:p></li></ul><p class=MsoNormal><span style='font-family:"Calibri",sans-serif'>Adriano</span> <o:p></o:p></p><p><o:p> </o:p></p><div><p class=MsoNormal>Il 26/03/2021 12:37, Inigo Barreira ha scritto:<o:p></o:p></p></div><blockquote style='margin-top:5.0pt;margin-bottom:5.0pt'><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D;mso-fareast-language:EN-US'>Hi Adriano,</span><o:p></o:p></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D;mso-fareast-language:EN-US'> </span><o:p></o:p></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D;mso-fareast-language:EN-US'>Sorry for jumping late here but I´m restarting with the CABF issues and am still in the process </span><span lang=EN-US style='font-size:11.0pt;font-family:Wingdings;color:#1F497D;mso-fareast-language:EN-US'>L</span><o:p></o:p></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D;mso-fareast-language:EN-US'>Regarding your question, we can differentiate between those USB&smartcards and the HSMs. So, for the first, we´ve found some others, but it´s true that there are not many but we´re aware of 3-4 additional providers. In the HSM space, I see no problems.</span><o:p></o:p></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D;mso-fareast-language:EN-US'> </span><o:p></o:p></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D;mso-fareast-language:EN-US'>Regards</span><o:p></o:p></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D;mso-fareast-language:EN-US'> </span><o:p></o:p></p><div style='border:none;border-left:solid blue 1.5pt;padding:0cm 0cm 0cm 4.0pt'><div><div style='border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0cm 0cm 0cm'><p class=MsoNormal><b><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri",sans-serif'>From:</span></b><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri",sans-serif'> Cscwg-public <a href="mailto:cscwg-public-bounces@cabforum.org"><cscwg-public-bounces@cabforum.org></a> <b>On Behalf Of </b>Adriano Santoni via Cscwg-public<br><b>Sent:</b> miércoles, 17 de marzo de 2021 16:08<br><b>To:</b> <a href="mailto:cscwg-public@cabforum.org">cscwg-public@cabforum.org</a><br><b>Subject:</b> [Cscwg-public] Re FIPS tokens supporting RSA 3072</span><o:p></o:p></p></div></div><p class=MsoNormal> <o:p></o:p></p><div style='border:solid black 1.0pt;padding:2.0pt 2.0pt 2.0pt 2.0pt'><p class=MsoNormal style='line-height:12.0pt;background:#FAFA03'><span style='font-size:10.0pt;font-family:"Calibri",sans-serif;color:black'>CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe.</span><o:p></o:p></p></div><p class=MsoNormal> <o:p></o:p></p><div><p><span style='font-family:"Calibri",sans-serif'>I already posted this question yesterday, but apparently it did not get through.</span><o:p></o:p></p><p><span style='font-family:"Calibri",sans-serif'>I was asking: is the SafeNet eToken 5110 CC the only FIPS token supporting RSA 3072 available on the market?</span><o:p></o:p></p><p><span style='font-family:"Calibri",sans-serif'>I am investigating this matter myself, and although I am not finished it seems there aren't many... possibly just one. </span><o:p></o:p></p><p><span style='font-family:"Calibri",sans-serif'>If so, it would be a rather unfortunate situation competition-wise.</span><o:p></o:p></p><p>Adriano<o:p></o:p></p><p> <o:p></o:p></p></div></div></blockquote></div></div></body></html>