> We've designed a secure key store called SmartCard-HSM that implements > secure generation, storage and use of asymmetric keys in a CC evaluated > smart card (see flyer at [1]).
What CC Protection Profile have you evaluated against? Is there any plan to also be FIPS 140-2 certified? Many customers also have requirements on the FIPS level. > In a next step we want to support key replication among a cluster of > SmartCard-HSMs in order to implement load balancing and key backup. We > have a draft concept for it, but would like to cross-check with actual > user requirements in the DNSSEC area. You need to have a mechanism where you can export the key from one card to an other, but also have it wrapped with an encryption key. The initial trust between two cards must be authorized by the Security Officer. >From the user perspective, a cluster must act in the same way as a single card. The key must e.g. be replicated before the user think it can use it. This is so that the user does not get load balanced to a card which is missing the key once signing. // Rickard _______________________________________________ Opendnssec-user mailing list [email protected] https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
