Am 18.10.2017 um 20:00 schrieb Jan Schermer:
I wouldn’t use this for a CA. 2048-bit RSA is not sufficient for a long-term CA, nor is 256-bit ECC sufficient.Well, this still leaves you with the burdon to generate and backup the key in a "secure" environment and transfer it to the TPM later - your key is unprotected at least in this secure environment. A "real" TPM has features to generate, backup and "copy" a key between hardware devices withput ever exposing the key.4096/384 is what I’d use.A “cheap” HSM if you don’t want to use a regular smartcard (though I see no reason not to if you’re not creating dozens of certificates every hour) would be Yubi HSM.Personally, I’m toying with the idea of using a TPM-wrapped key for CA. Not sure how practical that is, yet, but should be more secure in some respects...
Oliver -- Protect your environment - close windows and adopt a penguin!
smime.p7s
Description: S/MIME Cryptographic Signature
------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________ OpenXPKI-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openxpki-users
