[Cryptography] HSM's to be required for Code Signing Certificates
Ron Garret
ron at flownet.com
Sun Jan 29 22:11:47 EST 2017
On Jan 28, 2017, at 12:44 PM, Bill Frantz <frantz at pwpconsult.com> wrote:
> On 1/27/17 at 12:52 AM, pgut001 at cs.auckland.ac.nz (Peter Gutmann) wrote:
>
>> The interface to an HSM, at least for
>> signing purposes, is "perform a private-key operation on this short byte
>> string" (a.k.a. "sign this hash"). That's it.
>
> It seems to me one could build a HSM auditor which passively monitors the interface to the HSM and records the time of every signing operation. If the communication between the computer and the HSM is in the clear, more information could be recorded, but just the time the signing operations are performed would provide a useful audit trail.
You could also build such an audit trail into the HSM itself.
rg
More information about the cryptography
mailing list