On 23 April 2013 09:42, Phil Smith <[email protected]> wrote: > Thanks for this, Todd. VERY interesting. The fact that System z adds this > restriction seems odd. I'm sure you would have commented on it if you were > able to; I can only speculate from here that it's either (a) a conservative > approach, to keep mixed use from causing unsatisfactory performance for one > camp or the other (e.g., a ton of SSL handshakes causes PIN operations to be > slow, or vice versa) or (b) a desire to sell more cards! Any other ideas, > folks?
One might speculate that it could be harder to prove the correctness/integrity of the whole system when the card is used in mixed mode. Which of course raises the questions of how well the card interfaces are documented, and whether the cards are available for other platforms. Can anyone buy one, or only System z customers? Some years ago researchers at Ross Anderson's security lab at Cambridge mounted a successful attack on earlier IBM crypto APIs, and I seem to remember there was a time when they were offering a bounty of some sort for a new card. It would be interesting to know if IBM has cooperated with the Cambridge people to evaluate the latest cards and their APIs. Tony H. ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
