Hi Stephen Unfortunately TPMs are in my environment not as common as they should be (In large company they try hardly to safe money -- sometimes with fun thing such as asking for non standard flavours of boxes without RAID-Controllers ["we can use SW raid"] or TPM modules ["noone uses them anyway"]).
I have stopped following the TPM implementations about 2 years ago. At that time virtualization (which is commonly used in our company) together TPM (I am aware that this might be outdated in the meantime) were a total "no go". But I should definitely spend some time to see how the world has progressed in this area in the last two years. The openSSL ENGINE interface is in my opinion not transparent enough to the application to be widely used (This is were the "dual use" of certificates comes into play). It is however an important part of the proposed implementation. Thanks for pointing me at the TrouSerS project. I might need for another purpose a TPM capable implementation in the near future and this could definitely safe some time. I will have a closer look at it. Regards Martin > On Thu, 2010-06-03 at 18:04 +0200, Dr. Stephen Henson wrote: >> If you mean private key security then this makes more sense. >> >> OpenSSL includes means to secure private keys through the ENGINE >> interface. >> There are some built in which can use external private keys (e.g. >> Windows CSPs >> or Chil HSMs). > > As part of the TrouSerS project there is an OpenSSL engine which > provides secure private-key storage. > > A TPM is present on a reasonable number of machines these days. > >> It only requires a few calls to make use of a private key in an ENGINE >> after >> that usage is almost transparent. However at present very applications >> support >> that. We could (and indeed I've planned for a while) make that easier to >> do >> without needing application modification. > > It's not just engine keys. It's bad enough when you just want to be able > to load PEM or PKCS#12 keys. Making that work better would be extremely > useful. > > -- > dwmw2 > > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > Development Mailing List [email protected] > Automated List Manager [email protected] > ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [email protected] Automated List Manager [email protected]
