[Cscwg-public] [EXTERNAL] Re: Re FIPS tokens supporting RSA 3072

Tomas Gustavsson tomas.gustavsson at primekey.com
Thu Mar 18 06:51:39 UTC 2021


Related to certification...

The NitroKey supports RSA 1024-4096:
https://shop.nitrokey.com/shop/product/nk-hsm-2-nitrokey-hsm-2-7

The complete device is not FIPS or CC certified, but the hardware and 
operating system is:
https://www.nitrokey.com/documentation/frequently-asked-questions-faq#is-nitrokey-common-criteria-or-fips-certified

Cheers,
Tomas

On 2021-03-17 21:42, Ian McMillan via Cscwg-public wrote:
> Hi Folks,
> 
> This key size effective date has already been delayed by 6 months. I am 
> not keen on further delaying the requirement of 3072 keys for RSA due to 
> a lack of tokens that support the requirement in the CSBRs. As Bruce 
> calls out, there are other means to which subscribers can secure their 
> private keys to meet the requirements outside of a token provided by a 
> CA. If this change in key size is what pushes subscribers to use HSMs 
> (on-prem or cloud based services) or signing services, it may serve as 
> the call to action for token suppliers on a requirement they have 
> frankly seemed to have overlooked for some time now.
> 
> I’ll be interested to discuss how much additional time the group feels 
> is needed here, and how best we can help accelerate the transition.
> 
> Thanks,
> 
> Ian
> 
> *From:* Cscwg-public <cscwg-public-bounces at cabforum.org> *On Behalf Of 
> *Adriano Santoni via Cscwg-public
> *Sent:* Wednesday, March 17, 2021 9:31 AM
> *To:* Bruce Morton <Bruce.Morton at entrust.com>
> *Cc:* cscwg-public at cabforum.org
> *Subject:* Re: [Cscwg-public] [EXTERNAL] Re: Re FIPS tokens supporting 
> RSA 3072
> 
> Hi Bruce,
> 
> I certainly agree that - if the said token is the only device available 
> on the market meeting the said requirement, as it seems to be the case 
> -- we should promptly revise the effective date (June 1st, just three 
> months from now) of the transition to 3072 bits being mandatory for RSA 
> keys.
> 
> If nothing else, because it would be a really bad thing to impose a 
> requirement that involves sourcing devices from a single possible 
> supplier, thereby favouring a monopoly. I hope everyone agrees on this 
> principle.
> 
> Adriano
> 
> Il 17/03/2021 16:45, Bruce Morton ha scritto:
> 
>     Hi Adriano,
> 
>     We should discuss this issue at the next meeting. I do think that
>     there are options to using the SafeNet token, but that might include
>     subscriber hosted HSM, public-cloud HSM or Signing Service HSM.
> 
>     I think we all understand that the options might be hard to
>     implement before 1 June 2021 deadline.
> 
>     Bruce.
> 
>     *From:* Cscwg-public <cscwg-public-bounces at cabforum.org>
>     <mailto:cscwg-public-bounces at cabforum.org> *On Behalf Of *Adriano
>     Santoni via Cscwg-public
>     *Sent:* Wednesday, March 17, 2021 11:18 AM
>     *To:* cscwg-public at cabforum.org <mailto:cscwg-public at cabforum.org>
>     *Subject:* [EXTERNAL] Re: [Cscwg-public] Re FIPS tokens supporting
>     RSA 3072
> 
>     WARNING: This email originated outside of Entrust.
>     DO NOT CLICK links or attachments unless you trust the sender and
>     know the content is safe.
> 
>     ------------------------------------------------------------------------
> 
>     I should have written "the only CC token", as the FIPS version of
>     the said token does not support RSA > 2048 bit....
> 
>     But my question remains (after replacing "FIPS" with "CC").
> 
>     Adriano
> 
>     Il 17/03/2021 16:08, Adriano Santoni via Cscwg-public ha scritto:
> 
>         I already posted this question yesterday, but apparently it did
>         not get through.
> 
>         I was asking: is the SafeNet eToken 5110 CC the only FIPS token
>         supporting RSA 3072 available on the market?
> 
>         I am investigating this matter myself, and although I am not
>         finished it seems there aren't many... possibly just one.
> 
>         If so, it would be a rather unfortunate situation competition-wise.
> 
>         Adriano
> 
> 
> 
> 
>         _______________________________________________
> 
>         Cscwg-public mailing list
> 
>         Cscwg-public at cabforum.org  <mailto:Cscwg-public at cabforum.org>
> 
>         https://lists.cabforum.org/mailman/listinfo/cscwg-public  <https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.cabforum.org%2Fmailman%2Flistinfo%2Fcscwg-public&data=04%7C01%7Cianmcm%40microsoft.com%7Cd99faf2ab770497a6a6908d8e9620f0b%7C72f988bf86f141af91ab2d7cd011db47%7C0%7C0%7C637515954677826280%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=t9aEK4G0KBJ%2B2bZw6o7IRjLnLMACUJuSIegwRSV0ecc%3D&reserved=0>
> 
> 
> _______________________________________________
> Cscwg-public mailing list
> Cscwg-public at cabforum.org
> https://lists.cabforum.org/mailman/listinfo/cscwg-public
> 


More information about the Cscwg-public mailing list