On Mon, 15 Oct 2012, Alexander Gall wrote:
A hardware HSM allows you to detect when your keys get stolen (provided the hardware does not implement extraction of the keys, of course).
Provided they are not vulnerable to the recent variations of the Bierbach attack, like:
http://hal.inria.fr/docs/00/69/19/58/PDF/RR-7944.pdf I don't know of any HSMs that you can instruct to disable encryption and only allow signing to protect against this attack, nor have I personally heard from HSM vendors that they are not vulnerable to this attack. The result of this attack is that in fact, you can no longer know if your private keys were stolen or not after detecting an unauthorized login to a machine on the same LAN as the HSM. Paul _______________________________________________ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
