<html><head><meta http-equiv="Content-Type" content="text/html charset=utf-8"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class="">Why we have HSMs likely comes down to ‘its the way the NSA did it’. <div class=""><br class=""></div><div class="">I am certain we want to have them and can come up with a number of reasons to justify the rather modest cost compared to everything else we do to run a CA. But we should probably understand the reasons in more detail.<br class=""><div class=""><br class=""></div><div class="">One reason that I think we should look into it is that some recently expired and soon to expire patents and the move the ECDH offer some new and very interesting capabilities that provide additional controls.</div><div class=""><br class=""></div><div class=""><a href="http://hallambaker.com/Professional/Architecture/Cryptography/" class="">http://hallambaker.com/Professional/Architecture/Cryptography/</a></div><div class=""><br class=""></div><div class=""><br class=""></div><div class=""><br class=""></div><div class=""><br class=""><div><blockquote type="cite" class=""><div class="">On Mar 25, 2017, at 1:30 PM, Peter Bowen via Public <<a href="mailto:public@cabforum.org" class="">public@cabforum.org</a>> wrote:</div><br class="Apple-interchange-newline"><div class=""><div class="">This week we had a discussion on future signature algorithms, one of the items raised is that we don’t have HSMs that support many of the algorithms and that even if we do, they are not included in FIPS 140-2.<br class=""><br class="">I wanted to take a step back and ask kind of a stupid question: why do we require HSMs? Do we have a threat model that was used as input to the decision to require HSMs?<br class=""><br class="">I’m asking because it seems important to understand how we got to this point before we consider what items we can drop or alter as we look to revise the requirements to support new algorithms.<br class=""><br class="">Thanks,<br class="">Peter<br class=""><br class="">_______________________________________________<br class="">Public mailing list<br class=""><a href="mailto:Public@cabforum.org" class="">Public@cabforum.org</a><br class="">https://cabforum.org/mailman/listinfo/public<br class=""></div></div></blockquote></div><br class=""></div></div></body></html>