[Cryptography] HSM's to be required for Code Signing Certificates
Thierry Moreau
thierry.moreau at connotech.com
Sun Jan 29 11:02:38 EST 2017
On 28/01/17 08:44 PM, Bill Frantz wrote:
> On 1/27/17 at 12:52 AM, pgut001 at cs.auckland.ac.nz (Peter Gutmann) wrote:
>
>> The interface to an HSM, at least for
>> signing purposes, is "perform a private-key operation on this short byte
>> string" (a.k.a. "sign this hash"). That's it.
>
> It seems to me one could build a HSM auditor which passively monitors
> the interface to the HSM and records the time of every signing
> operation. If the communication between the computer and the HSM is in
> the clear, more information could be recorded, but just the time the
> signing operations are performed would provide a useful audit trail.
>
This (or the mere count of digital signature operations performed during
an HSM session, reported in a trustworthy way) is actually missing from
the most readily documented HSM deployment project, the DNSSEC root KSK
signature ceremonies held by IANA on a regular basis.
Ha!
The evil is in the details! Believe me, or look at
https://data.iana.org/ksk-ceremony/
- Thierry
> Cheers - Bill
>
> -------------------------------------------------------------------------
> Bill Frantz | The first thing you need when | Periwinkle
> (408)356-8506 | using a perimeter defense is a | 16345 Englewood Ave
> www.pwpconsult.com | perimeter. | Los Gatos, CA 95032
>
> _______________________________________________
> The cryptography mailing list
> cryptography at metzdowd.com
> http://www.metzdowd.com/mailman/listinfo/cryptography
More information about the cryptography
mailing list