Eric, Thanks for that confirmation. I suspected as much but had seen no details up to now.
Lennie Dymoke-Bradshaw https://rsclweb.com 'Dance like no one is watching. Encrypt like everyone is.' -----Original Message----- From: IBM Mainframe Discussion List <[email protected]> On Behalf Of Eric D Rossman Sent: 07 May 2021 20:25 To: [email protected] Subject: Re: 3270 emulator / telnet with encryption I'm probably the odd one out, but I say "SEE-pack-eff" and "kicks" for CPACF and CICS and I'm on the east coast of the US. And, yes, we (ICSF) do exploit the new z15 CPACF functions available with MSAE9 (Compute Digital Signature Authentication (KDSA)) for EC key pair generation, digital signature generate/verify, and key agreement for curves P-256, P-384, P-521, Ed25519, and Ed448. Since System SSL calls us for those curves, they get the performance benefit as well. Eric Rossman, CISSPR ICSF Cryptographic Security Development z/OS Enabling Technologies [email protected] IBM Mainframe Discussion List <[email protected]> wrote on 05/07/2021 12:57:01 PM: > From: Lennie Dymoke-Bradshaw <[email protected]> > > Tom, > > CPACF is considered part of weaponry by the US government and so it > has to be capable of being disabled for those countries where > exportation of encryption is restricted by US Govt arms rules. This is > why it has to be explicitly selected. > > CPACF is actually a pre-requisite for enabling a Crypto Express > device. CPACF is used extensively in TLS. TLS uses clear key > encryption for data transport and this is where the majority of > encryption work is performed in TLS. However, I see the latest CPACF > on Z15s have some new asymmetric functions, so maybe CPACF can be used > in the TLS handshake as well now. > > Lennie Dymoke-Bradshaw > > -----Original Message----- > From: IBM Mainframe Discussion List <[email protected]> On > Behalf Of Tom Brennan > Sent: 07 May 2021 16:55 > To: [email protected] > Subject: Re: 3270 emulator / telnet with encryption > > On 5/7/2021 6:19 AM, Phil Smith III wrote: > > > It's a reasonably safe bet that any machine today has CPACF; that > > was not always true, of course. > > When IBM or a business partner configures a new machine, there's a > checkmark for CPACF (zero charge), but it defaults to unchecked. So > when ordering a new machine I'd suggest the customer ask to make sure > that free feature code is supplied. > > If the machine comes with a crypto card, CPACF is automatically > selected and required. No need to ask in that case. > > Side subject - so how do you pronounce CPACF? I always say each > letter, but some IBM crypto folks say C-Pack-F ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN This email has been scanned by BullGuard antivirus protection. For more info visit www.bullguard.com ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
