[Cryptography] New free TLS CA coming

Peter Bowen pzbowen at gmail.com
Tue Nov 18 19:10:31 EST 2014

On Tue, Nov 18, 2014 at 3:47 PM, Hanno Böck <hanno at hboeck.de> wrote:
> Am Tue, 18 Nov 2014 15:35:21 -0800
> schrieb Peter Bowen <pzbowen at gmail.com>:
>> Can you suggest a HSM that has open source software?  It has to be
>> either FIPS 140 Level 3 certificated or certificated to meet EAL5 of a
>> Common Criteria Protection Profile.
> I made it a habit to trust people more that make their tech transparent
> and less if they present me some certification as an argument for
> security.
> This is probably a clash of worldviews, but past experiences don't give
> me the feeling these kinds of certifications have achieved much in
> terms of security.
> Is there any ruleset that requires such hw for CAs to be certified in a
> way that excludes open source? That'd be very strange indeed...

There is not a ruleset that the hardware excludes Open Source, but it
Baseline Requirements say:

"The CA SHALL protect its Private Key in a system or device that has
been validated as meeting at least FIPS 140
level 3 or an appropriate Common Criteria Protection Profile or
Security Target, EAL 4 (or higher) which includes
requirements to protect the Private Key and other assets against known
threats" (from https://cabforum.org/wp-content/uploads/BRv1.2.3.pdf)

I am unaware of any system or device that meets that requirement.  If
you know of one, I suspect a number of people would be very


More information about the cryptography mailing list