Hello Al, If someone is able to sabotage your key management operation, you will have bigger issues before performing any cryptographic operations. It's a huge damage to the reputation/trust. I believe this is why you have very good protection and monitoring around your KMF. Also, I personally love HSMs but unfortunately, I cannot fully trust them when it comes to key management. If someone gets hold of the HSM we don't know if there is a flaw or backdoor that allows the adversary to extract the key. This is why we implement compensating controls to prevent it from happening. I'm paranoid to a point that I need to know where the key material resides and when they are used. But this is more from an information security practitioner's standpoint rather than an engineer. Cheers, Tomofumi
On Oct 2, 2014, at 10:13, "Bolivar, Al" <abolivar@verisign.com> wrote:
Tomofumi,
In the scenario you are talking about the adversary would gain access to both HSMs at one of the facilities right? Then you could still use the other two HSMs you have at the other facility, provided they didnĀ¹t get access to the smart cards (credentials) as well. You could then import the KSK into new HSMs via the APP cards.
Thanks,
Al
On 10/1/14, 9:22 PM, "Tomofumi Okubo" <tomofumi.okubo@gmail.com> wrote:
Hello Mike,
On Wed, Oct 1, 2014 at 4:39 PM, Michael StJohns <msj@nthpermutation.com> wrote:
On 10/1/2014 7:26 PM, David Conrad wrote:
Gaining access to an HSM, along with its ignition keys would be bad. Gaining access to the HSM by itself shouldn't be. The whole purpose of an HSM is to make generic access to the HSM non-bad. E.g. the key's locked inside and without the use credential you ain't going to get it to do anything. Attempts to extract a key will fail and ideally cause the HSM to zeroize.
I do agree that in general, gaining access to the HSM is not equivalent to gaining access to the key materials on the HSM if its without the credentials although, if the adversary's objective is to sabotage the operation, they can simply destroy the HSM (and key that resides on it) so I still believe that unauthorized access to the HSM is pretty bad (from a key management standpoint).
Cheers, Tomofumi _______________________________________________ ksk-rollover mailing list ksk-rollover@icann.org https://mm.icann.org/mailman/listinfo/ksk-rollover