[Cryptech Tech] Fwd: Question regarding Trusted Path Authentication

[Peter Gutmann]

Randy Bush <randy at psg.com> quotes Tomofumi Okubo <tomokubo at verisign.com>:

>The question I had during the session is regarding the Trusted Path 
>Authentication.  This is popular for HSM usage in military, financial 
>institutions and commercial CAs. They use Trusted Path Authentication to 
>split the authority to access to the HSM. During the initialization of the 
>HSM, multiple credentials are created using the secret sharing scheme so that 
>it requires M out of N people to perform an operation on the HSM. Per 
>FIPS140, this does not necessarily have to use physical credentials so it 
>shouldn¹t be too messy to implement.

It's actually really, really hard to implement, hard to document, and hard to 
use.  I use this in my book as an example of something that seems quite simple 
(and desirable to have as a feature) until you start thinking about it, and 
then the more you think about it the harder it gets.  If you don't believe me, 
sit down and write out the API required, the data formats, the order and form 
in which the API is called to set things up, the user interface both for when 
things go right and when they go wrong, the procedures required to use it, and 
so on.

This is a feature that can go on the wishlist if required, but a long, long 
way down.

Peter.