[cabfpub] Why HSMs?

[Geoff Keating]

> On 25 Mar 2017, at 10:30 am, Peter Bowen via Public <public at cabforum.org> wrote:
> 
> This week we had a discussion on future signature algorithms, one of the items raised is that we don’t have HSMs that support many of the algorithms and that even if we do, they are not included in FIPS 140-2.
> 
> I wanted to take a step back and ask kind of a stupid question: why do we require HSMs?  Do we have a threat model that was used as input to the decision to require HSMs?
> 
> I’m asking because it seems important to understand how we got to this point before we consider what items we can drop or alter as we look to revise the requirements to support new algorithms.

The canonical reason to require a HSM is so that the key cannot be extracted, and therefore even in the event of a compromise, the damage is limited to any signing operations performed in a particular time period.  (Of course it helps a lot if the compromise is not so extensive that you can’t trust the logs and so know what signing operations were actually performed.  You really win if you discover no signing operations were performed!)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3321 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/public/attachments/20170325/92643d31/attachment-0001.p7s>