Richard Thornton wrote: > The use case I was thinking of would be key storage for a firewall > like the Palo Alto Networks appliances, provided I could get support > added for CrypTech to the PANOS software (for now lets assume PKCS#11 > works but is unsupported on anything but Thales or Safenet) > > https://www.paloaltonetworks.com/documentation/60/pan-os/pan-os/certificate-management/set-up-connectivity-with-an-hsm
Why do you assume PKCS#11? I find no reference to it anywhere. On the contrary, https://www.paloaltonetworks.com/documentation/60/pan-os/newfeaturesguide/application-identification-features/support-for-hardware-security-modules says: "HSM clients are now integrated with PA-3000 Series, PA-4000 Series, PA-5000 Series, PA-7050, and VM-Series firewalls and on Panorama (virtual appliance and M-100 appliance) for use with the following HSMs: SafeNet Luna SA 5.2.1 or later Thales Nshield Connect 11.62 or later" "HSM client" has nothing to do with PKCS#11. To use any other HSM you would have to develop a compatibility layer for that HSM to make it usable with one of the two proprietary protocols supported by the firewall. This requires first reverse engineering either of the protocols, and then developing a software to translate from that protocol to whatever your desired HSM uses. In the CrypTech that could be PKCS#11, or the CrypTech RPC protocol directly. > What would I do, use something with ethernet and two USB like an RPi > (or maybe x86?) and run a TCPIP server on there (any ideas, OpenSSL?) > that talks to cryptech_muxd? Not that simple. > So with all the info should I grab an Alpha from Crowd Supply or wait > for a newer board from you? Unless good documentation for those proprietary protocols is available I wouldn't expect that the CrypTech design will ever support them, because that reverse engineering effort is probably a lot of work, and it is unclear how much real benefit there is... //Peter _______________________________________________ Tech mailing list Tech@cryptech.is https://lists.cryptech.is/listinfo/tech
