[Cryptography] New free TLS CA coming

Peter Bowen pzbowen at gmail.com
Wed Nov 19 13:21:07 EST 2014

On Tue, Nov 18, 2014 at 4:10 PM, Peter Bowen <pzbowen at gmail.com> wrote:
> On Tue, Nov 18, 2014 at 3:47 PM, Hanno Böck <hanno at hboeck.de> wrote:
>> Am Tue, 18 Nov 2014 15:35:21 -0800
>> schrieb Peter Bowen <pzbowen at gmail.com>:
>>> Can you suggest a HSM that has open source software?  It has to be
>>> either FIPS 140 Level 3 certificated or certificated to meet EAL5 of a
>>> Common Criteria Protection Profile.
>> I made it a habit to trust people more that make their tech transparent
>> and less if they present me some certification as an argument for
>> security.
>> This is probably a clash of worldviews, but past experiences don't give
>> me the feeling these kinds of certifications have achieved much in
>> terms of security.
>> Is there any ruleset that requires such hw for CAs to be certified in a
>> way that excludes open source? That'd be very strange indeed...
> There is not a ruleset that the hardware excludes Open Source, but it
> Baseline Requirements say:
> "The CA SHALL protect its Private Key in a system or device that has
> been validated as meeting at least FIPS 140
> level 3 or an appropriate Common Criteria Protection Profile or
> Security Target, EAL 4 (or higher) which includes
> requirements to protect the Private Key and other assets against known
> threats" (from https://cabforum.org/wp-content/uploads/BRv1.2.3.pdf)
> I am unaware of any system or device that meets that requirement.  If
> you know of one, I suspect a number of people would be very
> interested.

This should have been "any open source system or device".  Every
public CA is required to meet these requirements, so this is not a
unique problem for Let's Encrypt.  I don't think any public CA can
both meet the requirements to be a public CA and be 100% open source.


More information about the cryptography mailing list