[Cryptech Tech] Fwd: Question regarding Trusted Path Authentication

[Randy Bush]

From: Tomofumi Okubo <tomokubo at verisign.com>
Subject: Question regarding Trusted Path Authentication
To: Randy Bush <randy at psg.com>
Date: Tue, 16 Dec 2014 21:18:02 +0000

Dear Randy,

Thank you very much for the talk today. It was exciting!
I now see a tremendous possibility in the open design HSM project.

The question I had during the session is regarding the Trusted Path
Authentication.

This is popular for HSM usage in military, financial institutions and
commercial CAs. They use Trusted Path Authentication to split the
authority to access to the HSM. During the initialization of the HSM,
multiple credentials are created using the secret sharing scheme so that
it requires M out of N people to perform an operation on the HSM. Per
FIPS140, this does not necessarily have to use physical credentials so it
shouldn¹t be too messy to implement.

I¹d like to see a future that everybody who needs an HSM can buy a HSM at
a reasonable price. Not just a HSM but a good one. It would be nice to see
someone manufacture a clean implementation of the open design HSM and get
certified by the various bodies and then sell it at a significantly lower
price.

Just my two cents.

Thanks and best regards,
Tomofumi Okubo

Sr. Engineer, Applied Security
Verisign, Inc.
12061 Bluemont Way Reston, VA 20190
+1-571-446-1834 (mobile)