[Cryptography] On the deployment of client-side certs

Peter Gutmann pgut001 at cs.auckland.ac.nz
Wed Nov 23 21:27:34 EST 2016


Philipp G├╝hring <pg at futureware.at> writes:

>So if you want a secure system, you have to build your own software on HSMs.
>Just running standard PKCS#11 or similar software on it is not secure enough.
>If you want to run a PKI, develop your certificate issueing software inside
>the HSM.

The problem is that no-one wants that.  Or at least everyone says they'd like
it as an abstract concept, but when you productise it no-one actually wants
it.  IBM tried this with their 4758, a fully user-programmable HSM (and rather
nice piece of engineering), and barely managed to sell any of them outside of
a few niche applications.

Peter.


More information about the cryptography mailing list