>> Well, define expensive and define your requirements - the HSM adds >> extracosts but measured at the TCO of a PKI solution running in an >> enterprise environment this will not be the biggest part. By accident, we >> are sales partner for nCipher and we also have good contacts to other >> vendors with attractive pricing models - we recently got hands on the >> products of a small company based in Switzerland with very interesting >> products and pricing which perfectly worked with OpenXPKI and we also have >> done a PoC using the YubiHSM.
I understand the costs of operating an HSM. I've worked with Gemalto Luna EFT (~4000 USD for a dev unit) and Thales Paysheld 9000/10000 (~6-8K USD for a dev unit) so TCO isn't factor for me at 1000 EUR/USD. That's cheap actually. I may have only the first year of support, but that's to be decided when I make the HSM purchase. It's also not going to happen until the new year at the earliest This isn't for an actual company, this is all personal Dev work to expand my understanding. So if your providers have a Dev price list like Gemalto/Thales, then that's where I need to start. (no production/commercial transactions will happen on the devices) My requirements are as I stated and have to compete with Gemalto/Thales for feature set: Multiple partition capable (Gemalto Luna EFT for example could expand to some 20 paritions or as they see it 20 individual HSM's within the same physical box) with providers that talk to OpenSSL and ADCS (Both CAPI and CNG, my Microsoft keys are all RSA CNG keys at the moment). Don't need the payments stuff (won't be doing DUKPT or any key derivation), just a general HSM like the Gemalto Luna Network HSM. Java is a nice to have, I don't touch Java. - Side note on OpenSSL: Is there any other way but say KeyNanny, or a similar product/project to OpenXPKI to talk to an HSM in the Linux world, outside of coding your own? I know that for the Microsoft CSP to be supported, it has to be coded by the HSM provider. Gemalto/Thales has this, and complete instructions to install the ADCS CSP to then start issuing certificates. _______________________________________________ OpenXPKI-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openxpki-users
