[Cryptography] On the deployment of client-side certs
Peter Gutmann
pgut001 at cs.auckland.ac.nz
Wed Nov 23 21:27:34 EST 2016
Philipp Gühring <pg at futureware.at> writes:
>So if you want a secure system, you have to build your own software on HSMs.
>Just running standard PKCS#11 or similar software on it is not secure enough.
>If you want to run a PKI, develop your certificate issueing software inside
>the HSM.
The problem is that no-one wants that. Or at least everyone says they'd like
it as an abstract concept, but when you productise it no-one actually wants
it. IBM tried this with their 4758, a fully user-programmable HSM (and rather
nice piece of engineering), and barely managed to sell any of them outside of
a few niche applications.
Peter.
More information about the cryptography
mailing list