[Cryptography] New free TLS CA coming
Peter Bowen
pzbowen at gmail.com
Wed Nov 19 13:21:07 EST 2014
On Tue, Nov 18, 2014 at 4:10 PM, Peter Bowen <pzbowen at gmail.com> wrote:
> On Tue, Nov 18, 2014 at 3:47 PM, Hanno Böck <hanno at hboeck.de> wrote:
>> Am Tue, 18 Nov 2014 15:35:21 -0800
>> schrieb Peter Bowen <pzbowen at gmail.com>:
>>
>>> Can you suggest a HSM that has open source software? It has to be
>>> either FIPS 140 Level 3 certificated or certificated to meet EAL5 of a
>>> Common Criteria Protection Profile.
>>
>> I made it a habit to trust people more that make their tech transparent
>> and less if they present me some certification as an argument for
>> security.
>>
>> This is probably a clash of worldviews, but past experiences don't give
>> me the feeling these kinds of certifications have achieved much in
>> terms of security.
>>
>> Is there any ruleset that requires such hw for CAs to be certified in a
>> way that excludes open source? That'd be very strange indeed...
>
> There is not a ruleset that the hardware excludes Open Source, but it
> Baseline Requirements say:
>
> "The CA SHALL protect its Private Key in a system or device that has
> been validated as meeting at least FIPS 140
> level 3 or an appropriate Common Criteria Protection Profile or
> Security Target, EAL 4 (or higher) which includes
> requirements to protect the Private Key and other assets against known
> threats" (from https://cabforum.org/wp-content/uploads/BRv1.2.3.pdf)
>
> I am unaware of any system or device that meets that requirement. If
> you know of one, I suspect a number of people would be very
> interested.
This should have been "any open source system or device". Every
public CA is required to meet these requirements, so this is not a
unique problem for Let's Encrypt. I don't think any public CA can
both meet the requirements to be a public CA and be 100% open source.
Thanks,
Peter
More information about the cryptography
mailing list