[Cscwg-public] [EXTERNAL] Re: Re FIPS tokens supporting RSA 3072
Tomas Gustavsson
tomas.gustavsson at primekey.com
Thu Mar 18 06:51:39 UTC 2021
Related to certification...
The NitroKey supports RSA 1024-4096:
https://shop.nitrokey.com/shop/product/nk-hsm-2-nitrokey-hsm-2-7
The complete device is not FIPS or CC certified, but the hardware and
operating system is:
https://www.nitrokey.com/documentation/frequently-asked-questions-faq#is-nitrokey-common-criteria-or-fips-certified
Cheers,
Tomas
On 2021-03-17 21:42, Ian McMillan via Cscwg-public wrote:
> Hi Folks,
>
> This key size effective date has already been delayed by 6 months. I am
> not keen on further delaying the requirement of 3072 keys for RSA due to
> a lack of tokens that support the requirement in the CSBRs. As Bruce
> calls out, there are other means to which subscribers can secure their
> private keys to meet the requirements outside of a token provided by a
> CA. If this change in key size is what pushes subscribers to use HSMs
> (on-prem or cloud based services) or signing services, it may serve as
> the call to action for token suppliers on a requirement they have
> frankly seemed to have overlooked for some time now.
>
> I’ll be interested to discuss how much additional time the group feels
> is needed here, and how best we can help accelerate the transition.
>
> Thanks,
>
> Ian
>
> *From:* Cscwg-public <cscwg-public-bounces at cabforum.org> *On Behalf Of
> *Adriano Santoni via Cscwg-public
> *Sent:* Wednesday, March 17, 2021 9:31 AM
> *To:* Bruce Morton <Bruce.Morton at entrust.com>
> *Cc:* cscwg-public at cabforum.org
> *Subject:* Re: [Cscwg-public] [EXTERNAL] Re: Re FIPS tokens supporting
> RSA 3072
>
> Hi Bruce,
>
> I certainly agree that - if the said token is the only device available
> on the market meeting the said requirement, as it seems to be the case
> -- we should promptly revise the effective date (June 1st, just three
> months from now) of the transition to 3072 bits being mandatory for RSA
> keys.
>
> If nothing else, because it would be a really bad thing to impose a
> requirement that involves sourcing devices from a single possible
> supplier, thereby favouring a monopoly. I hope everyone agrees on this
> principle.
>
> Adriano
>
> Il 17/03/2021 16:45, Bruce Morton ha scritto:
>
> Hi Adriano,
>
> We should discuss this issue at the next meeting. I do think that
> there are options to using the SafeNet token, but that might include
> subscriber hosted HSM, public-cloud HSM or Signing Service HSM.
>
> I think we all understand that the options might be hard to
> implement before 1 June 2021 deadline.
>
> Bruce.
>
> *From:* Cscwg-public <cscwg-public-bounces at cabforum.org>
> <mailto:cscwg-public-bounces at cabforum.org> *On Behalf Of *Adriano
> Santoni via Cscwg-public
> *Sent:* Wednesday, March 17, 2021 11:18 AM
> *To:* cscwg-public at cabforum.org <mailto:cscwg-public at cabforum.org>
> *Subject:* [EXTERNAL] Re: [Cscwg-public] Re FIPS tokens supporting
> RSA 3072
>
> WARNING: This email originated outside of Entrust.
> DO NOT CLICK links or attachments unless you trust the sender and
> know the content is safe.
>
> ------------------------------------------------------------------------
>
> I should have written "the only CC token", as the FIPS version of
> the said token does not support RSA > 2048 bit....
>
> But my question remains (after replacing "FIPS" with "CC").
>
> Adriano
>
> Il 17/03/2021 16:08, Adriano Santoni via Cscwg-public ha scritto:
>
> I already posted this question yesterday, but apparently it did
> not get through.
>
> I was asking: is the SafeNet eToken 5110 CC the only FIPS token
> supporting RSA 3072 available on the market?
>
> I am investigating this matter myself, and although I am not
> finished it seems there aren't many... possibly just one.
>
> If so, it would be a rather unfortunate situation competition-wise.
>
> Adriano
>
>
>
>
> _______________________________________________
>
> Cscwg-public mailing list
>
> Cscwg-public at cabforum.org <mailto:Cscwg-public at cabforum.org>
>
> https://lists.cabforum.org/mailman/listinfo/cscwg-public <https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.cabforum.org%2Fmailman%2Flistinfo%2Fcscwg-public&data=04%7C01%7Cianmcm%40microsoft.com%7Cd99faf2ab770497a6a6908d8e9620f0b%7C72f988bf86f141af91ab2d7cd011db47%7C0%7C0%7C637515954677826280%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=t9aEK4G0KBJ%2B2bZw6o7IRjLnLMACUJuSIegwRSV0ecc%3D&reserved=0>
>
>
> _______________________________________________
> Cscwg-public mailing list
> Cscwg-public at cabforum.org
> https://lists.cabforum.org/mailman/listinfo/cscwg-public
>
More information about the Cscwg-public
mailing list