Eugen Leitl wrote:
If I may put words in your mouth, you would require a server-side public key cryptography apparatus where the long-term private key value would be subject to utmost protection available, and the signature capability is nonetheless available to some "functional area" software on an general-purpose processor with less stringen protections. Hint: the software application where a security certificate is authorized is the Èfunctional areaÈ software. Presumably, some key management scheme must be provided so that once a "functional area" becomes suspicious, its usage of the private key can be rovoked through a key renewal, and the private key is not at stake.I'm looking for (cheap, PCI/USB) hardware to store secrets (private key) and support crypto primitives (signing, cert generation). It doesn't have to be fast, but to support loading/copying of secrets in physically secure environments, and not generate nonextractable secret onboard. Environment is OpenBSD/Linux/OpenSSL/gpg.
Any suggestions?
The disclosure of such system is at http://www.connotech.com/WIRCPATA.HTM. Be reassured that this was a preventive publication, so this design is in the public domain (and is, or should have been, prior art to US patent 6,671,804).
Such server-side cryptographic hardware is currently under development. It should take the form of a 1U operational secure device and a separate key management console, the latter ensuring that no significant secret is ever stored on a personal computer. The application is not, however, certificate signing, as your post implies. I doubt that you will find products that fits your need as I expressed them. Perhaps with lower security, notably requiring that you trust the API design and implementation between the cryptographic hardware and the functional area.
Regards,
--
- Thierry Moreau
CONNOTECH Experts-conseils inc. 9130 Place de Montgolfier Montreal, Qc Canada H2M 2A1
Tel.: (514)385-5691 Fax: (514)385-5900
web site: http://www.connotech.com e-mail: [EMAIL PROTECTED]
--------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
