Re: [OpenXPKI-users] Nitrokey HSM Support

Wed, 18 Oct 2017 11:26:53 -0700 

I wouldn’t use this for a CA. 2048-bit RSA is not sufficient for a long-term 
CA, nor is 256-bit ECC sufficient.
4096/384 is what I’d use.

A “cheap” HSM if you don’t want to use a regular smartcard (though I see no 
reason not to if you’re not creating dozens of certificates every hour) would 
be Yubi HSM.

Personally, I’m toying with the idea of using a TPM-wrapped key for CA. Not 
sure how practical that is, yet, but should be more secure in some respects...

Jan

> On 18 Oct 2017, at 19:48, Noah Baatz <[email protected]> wrote:
> 
> And martin no offence but you looked at the wrong one 
> https://shop.nitrokey.com/shop/product/nitrokey-hsm-7 
> <https://shop.nitrokey.com/shop/product/nitrokey-hsm-7>
> which can 
> Protect your server, PKI, CA
> Max. 43 x ECC 256 bit keys
> Max. 35 x RSA 2048 bit keys
> Based on SmartCard-HSM
> Open source & open hardware
> 
> On Wed, Oct 18, 2017 at 12:59 PM, Noah Baatz <[email protected] 
> <mailto:[email protected]>> wrote:
> Would it work
> 
> On Oct 18, 2017 1:52 AM, "Martin Bartosch" <[email protected] 
> <mailto:[email protected]>> wrote:
> > Does Openxpki have support for Nitrokey HSM and if it doesn't can you add 
> > support for it next update.
> 
> From a quick glance on their web page it looks very much like this device is 
> simply a generic SmartCard which you could use via the PKCS#11 driver. Note 
> that there is no key backup feature, nor is there a way to segregate duties 
> for key use with these devices.
> 
> Martin
> 
> 
> 
> ------------------------------------------------------------------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot 
> <http://sdm.link/slashdot>
> _______________________________________________
> OpenXPKI-users mailing list
> [email protected] 
> <mailto:[email protected]>
> https://lists.sourceforge.net/lists/listinfo/openxpki-users 
> <https://lists.sourceforge.net/lists/listinfo/openxpki-users>
> 
> 
> ------------------------------------------------------------------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! 
> http://sdm.link/slashdot_______________________________________________
> OpenXPKI-users mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/openxpki-users


------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
OpenXPKI-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openxpki-users

Reply via email to