[Cryptography] HSM's to be required for Code Signing Certificates

Fri Jan 27 08:05:25 EST 2017

> On 27 Jan 2017, at 04:49, Peter Gutmann <pgut001 at cs.auckland.ac.nz> wrote:
> 
> Henry Baker <hbaker1 at pipeline.com> writes:
> 
> This seems a lot like security by press release, if you look at the changes:
> 
>> The guidelines include several new features that will help businesses defend
>> their IT systems and information stores from cyber-attacks, including:
>> 
>> * Stronger protection for private keys: The best practice will be to use a
>> ***FIPS 140-2 Level 2 HSM*** or equivalent.  [...] Therefore, companies must
>> either ***store keys in hardware*** they keep on premise hardware, or in a
>> new secure cloud-based code signing cloud-based service.
> 
> Since level 2 HSMs are expensive, not so easy to find, and 

While I totally agree with the remainder of your points below — I am not sure that the statement that ``L2 HSMs or equivalent’’ at this level of complexity are expensive and hard to find.

Nor ar expensive devices the norm.

Just about any basic USB cryto stick or smartcard with simple USB reader will do; most exceed FIPS104-2 Level 2 and you can buy a handful (for test, deployment and production) for less than a 100$ - including a separate PIN keyboard if so desired.  Heck - most laptops (though the macbooks have lost them) these days come with a ‘free’ TPM chip certified.

> a pain to use,

The real issue is here— on the config & software management; the finicky scripts and the time&labour waste this drivers. But that is a chicken and egg problem and getting better. I now regularly encounter companies that have integrated such in their Jenkins/Hudson build chain without much ado (and, not coincidentally with MS their advice to move to HSMs - usually after some event or other).

> companies are probably going to take the other option of moving their keys
> into the cloud.  So instead of having the key on an, at least on theory,
> isolated machine on a private LAN it's now in the cloud.  Wonderful.
> 
>> * Certificate revocation: Most likely, a revocation will be requested by a
>> malware researcher or an application software supplier like Microsoft, if
>> they discover users of their software may be installing suspect code or
>> malware. After a CA receives request, it must either revoke the certificate
>> within two days, or alert the requestor that it has launched an investigation.
> 
> So the problem here was that if a malware researcher requested a revocation,
> the CA typically did nothing.  Now they're still free to do nothing, as long
> as they claim they're investigating.
> 
> The first of those two arguably makes things worse rather than better, and the
> second is just business as usual.  The final one, use of TSAs, is necessitated
> by the way certs work and mostly a no-op.  "Realizing the importance of the
> case, my men are rounding up twice the usual number of suspects".
> 
> Peter.

Dw.