FWIW: +1. We did look high and low for additional level 4 vendors (I did various evals in 2008) but at the time there was nothing other than AEP and IBM and safenet main engineer said unlikely. IBM PCI card tampered too easily and stand alone was of interest. So would love to see some HSM diversity here. -Rick -----Original Message----- From: ksk-rollover-bounces@icann.org [mailto:ksk-rollover-bounces@icann.org] On Behalf Of Bolivar, Al Sent: Thursday, October 02, 2014 10:43 AM To: Tomofumi Okubo; Paul Hoffman Cc: ksk-rollover@icann.org Subject: Re: [ksk-change] Keeping two KSK keys long term I would like to add that I support the addition of another vendor. Tomofumi and I spoke to another vendor about introducing a competing FIPS 140-2 level 4 HSM. In my opinion having other choices will be positive. Thanks, Al On 10/1/14, 6:48 PM, "Tomofumi Okubo" <tomofumi.okubo@gmail.com> wrote:
Hello,
On Wed, Oct 1, 2014 at 3:09 PM, Paul Hoffman <paul.hoffman@vpnc.org> wrote:
On Oct 1, 2014, at 2:15 PM, Jakob Schlyter <jakob@kirei.se> wrote:
With all due respect, I'd like to see those numbers. The cost is approximately "have an extra HSM stored somewhere where the other HSMs are not". I'm not sure how expensive that can be relative to "fly a bunch of folks around twice a year for the ceremonies", much less relative to "if we needed it, we could show people we had planned for it".
It will roughly cost around 500k to set up one key ceremony room but it's more about the overhead to manage the facilities.
Even if we don't store the HSMs for the backup keys at a different location, I think introducing a different brand of HSM for the backup key would have it's own benefits. We can prevent vendor lock-in and a single HSM brand failing (critical flaw in hardware etc...) and needing to do a full trust reboot. Not to mention, this will cost a lot of money (around 150k) too.
Cheers, Tomofumi _______________________________________________ ksk-rollover mailing list ksk-rollover@icann.org https://mm.icann.org/mailman/listinfo/ksk-rollover
_______________________________________________ ksk-rollover mailing list ksk-rollover@icann.org https://mm.icann.org/mailman/listinfo/ksk-rollover