Hello Paul, Thanks for your reply. On Mon, Oct 6, 2014 at 7:38 AM, Paul Hoffman <paul.hoffman@vpnc.org> wrote:
On Oct 5, 2014, at 10:37 PM, Tomofumi Okubo <tomofumi.okubo@gmail.com> wrote:
Yes, and none of those are of concern *in IANA's operating environment*, correct? If anyone has unauthorized physical access to the HSM, IANA will invalidate the key and use a new one, right?
Yes, that's right but that is if the other security controls successfully detects the compromise. The mechanism on the HSM will be the last line of defense if the other security controls fail for some reason. This is why in the ICANN definition, HSM is labelled as Tier 7.
This is the crux of my point: if IANA has processes that are more stringent than those provided by Levels 2 through 4, then all you get from insisting on higher-than-Level-1 is restrictions on cryptography and restriction of choice of models.
I still think level 1 HSMs are not suitable for mission critical operations like Root DNSSEC. I've never heard of a commercial CA or banks that uses FIPS140 level 1 HSMs for their CA cert operation (not EE).
This might sound weird but I'm not actually advocating for FIPS140 level 4 HSMs and I do like EC too.
Those two do not make sense together in the current environment where we expect the CFRG to decide on new elliptic curve specifications in the coming months. No one would expect such cryptography to be available in a Level 4 HSM for many, many years. Look how little choice you have even for current ECDSA HSMs at Level 4.
I agree that we currently don't have much options and that is definitely an issue. I'm hoping that if the algorithms you mentioned are really going to be the mainstream, it won't take multiple years for the HSM vendors to incorporate them. As I mentioned on the list, we can always talk to the HSM vendors if we come up with what we actually want. Cheers! Tomofumi