[lsb-discuss] Reflections on Trusting Trust

Robert Relyea rrelyea at redhat.com
Thu Oct 23 10:15:13 PDT 2008 

Theodore Tso wrote:
> On Thu, Oct 23, 2008 at 12:02:24AM -0700, Nelson B Bolyard wrote:
>   
>> I have a FIPS compliant hardware security module (HSM) in my pocket,
>> on my key ring, actually.  It's the size of a USB stick.  It has a
>> USB interface, but it is NOT a USB memory device.  It is a real HSM.
>> The private key on there won't come off due to any clever software.
>>     
>
> I looked at the Aladdin eToken, actually.  It's now about $35 dollars,
> and it's OK, BUT:
>
>   
Aladdin isn't the only token out there in that price range. I use a 
number of them, most of them protect the private key from being read 
(even to the point of worrying about on line attacks. I know it's 
possible to get them to work with ssh, though if we are just talking 
about package signing, I don't think that's an issue.
>
> *) There is some hint that it's possible to upload an SSH key (and
>  thus any private key) to the eToken, which would be one way of
>  solving the above problem --- just generate the key outside of the
>  device and then upload it to multiple etokens --- but there are more
>  web pages who insist just as stridently that You Can't Do This with
>  the eToken.  (This may be where use of the proprietary Aladin stack
>  does something OpenSC does not; I'm not sure.)
>   
NSS can usually load a private key into most PKCS #11 modules with pk12util.
>
> If someone can point me at a FIPS-140 solution where the software
> stack is known to work out of the box on multiple distributions
> (ideally, Debian/Ubuntu, Fedora/RHEL, and OpenSuSE/SLES) --- no
> patching or use of proprietary object-code-only software from the
> manufacturers --- and which supports key backup/migration, and
> seamless integration with GPG, all without needing any custom patches,
> or replacing random daemons in some other security's software stack to
> fake them out, I don't have an objection to using a hardware solution.
> Or if someone else wants to volunteer the time to get it all working,
> and can convince me that the any patches to make it all work will
> either make its way upstream to the distro's in fairly short order, or
> that it is possible for us to support said patches ourselves
> indefinitely, I'm not *against* a hardware solution; in fact, I would
> think that would be pretty cool.
>   
Ah... NSS? FIPS 140 level-2 certified (the only level-2 certified open 
source software model, and the first level-2 software module of any 
kind). Works (actually ships) with all major Linux distributions;).

Though I still recommend a hardware solution (which NSS supports quite 
well itself).

bob

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3420 bytes
Desc: S/MIME Cryptographic Signature
Url : http://lists.linux-foundation.org/pipermail/lsb-discuss/attachments/20081023/8038aa38/attachment.bin

More information about the lsb-discuss mailing list