On Oct 16, 2012, at 7:23 AM, Robert Kisteleki <[email protected]> wrote:
>>> It's possible to come up with bad escrow mechanisms, which leave the key >>> vulnerable. That's just bad engineering, it's got nothing to do with HSMs. >>> However, a properly designed procedure with enough support from the HSM will >>> defend against this. >> >> The same is true for systems that act like HSMs. > > Indeed. So what's the difference between HSMs and "systems that act like > HSMs"? The key is stored in traditional long-term memory (spinning rust or SSD), and the signing is done with a traditional CPU under control of a traditional operating system. The security offered by the H in HSM is based on an assumption that the hardware vendor did it right and the meager documentation given for the security properties is complete. The security offered by a system that acts like an HSM is based on the belief that the ability to review all the software used in the system will overwhelm the problems of too much software in the system. These are two orthogonal types of theater. --Paul Hoffman _______________________________________________ dns-operations mailing list [email protected] https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
