[lsb-discuss] Reflections on Trusting Trust
Robert Relyea
rrelyea at redhat.com
Thu Oct 23 10:15:13 PDT 2008
Theodore Tso wrote:
> On Thu, Oct 23, 2008 at 12:02:24AM -0700, Nelson B Bolyard wrote:
>
>> I have a FIPS compliant hardware security module (HSM) in my pocket,
>> on my key ring, actually. It's the size of a USB stick. It has a
>> USB interface, but it is NOT a USB memory device. It is a real HSM.
>> The private key on there won't come off due to any clever software.
>>
>
> I looked at the Aladdin eToken, actually. It's now about $35 dollars,
> and it's OK, BUT:
>
>
Aladdin isn't the only token out there in that price range. I use a
number of them, most of them protect the private key from being read
(even to the point of worrying about on line attacks. I know it's
possible to get them to work with ssh, though if we are just talking
about package signing, I don't think that's an issue.
>
> *) There is some hint that it's possible to upload an SSH key (and
> thus any private key) to the eToken, which would be one way of
> solving the above problem --- just generate the key outside of the
> device and then upload it to multiple etokens --- but there are more
> web pages who insist just as stridently that You Can't Do This with
> the eToken. (This may be where use of the proprietary Aladin stack
> does something OpenSC does not; I'm not sure.)
>
NSS can usually load a private key into most PKCS #11 modules with pk12util.
>
> If someone can point me at a FIPS-140 solution where the software
> stack is known to work out of the box on multiple distributions
> (ideally, Debian/Ubuntu, Fedora/RHEL, and OpenSuSE/SLES) --- no
> patching or use of proprietary object-code-only software from the
> manufacturers --- and which supports key backup/migration, and
> seamless integration with GPG, all without needing any custom patches,
> or replacing random daemons in some other security's software stack to
> fake them out, I don't have an objection to using a hardware solution.
> Or if someone else wants to volunteer the time to get it all working,
> and can convince me that the any patches to make it all work will
> either make its way upstream to the distro's in fairly short order, or
> that it is possible for us to support said patches ourselves
> indefinitely, I'm not *against* a hardware solution; in fact, I would
> think that would be pretty cool.
>
Ah... NSS? FIPS 140 level-2 certified (the only level-2 certified open
source software model, and the first level-2 software module of any
kind). Works (actually ships) with all major Linux distributions;).
Though I still recommend a hardware solution (which NSS supports quite
well itself).
bob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3420 bytes
Desc: S/MIME Cryptographic Signature
Url : http://lists.linux-foundation.org/pipermail/lsb-discuss/attachments/20081023/8038aa38/attachment.bin
More information about the lsb-discuss
mailing list