[Cryptech Tech] goals / use cases

[Leif Johansson]

On 01/25/2015 05:54 AM, Peter Gutmann wrote:
> Leif Johansson <leifj at sunet.se> writes:
> 
>> Me neither. Even if this was a price issue at this point (which it is not
>> really) paying on the order of 1-2k for an HSM is still almost 2 orders of
>> magnitude cheaper that what I pay now for commercial HSMs
> 
> Uhh, you're paying $100K for an HSM?  I didn't know Faberge made HSMs :-).
> 

70k EUR for LunaSAs yes.

> Most of the cost of an HSM is the certification and fancy paperwork, not the
> hardware.  The certification is often pretty worthless (coughFIPS 140cough),
> but for compliance reasons you need to get something with the appropriate
> paperwork.  So you can buy $10K HSMs, but you can also buy sub-$1K ones that
> offer the same security and possibly better performance.

I know that well enough. I suspect there are only rat-holes to be had
talking about the failures of the HSM market though.

> 
> This leads to another question about requirements (alongside my earlier ones),
> who's the target audience for this?  If you're going for commercial users then
> they're going to be paying for the certification paperwork and not the
> hardware, so you can't really compete in that market.  OTOH if you're aiming
> for people who just want to have their own HSM regardless of whether it's
> FIPS/CC/EMV accredited then you'll probably need to aim for the < $100-200
> segment that you'd find on Tindie and the like.  Anyone with $1-2K to spend on
> an HSM will presumably be spending their employer's money rather than their
> own, which means they'd be buying the product with the extensive paperwork.
> 
> Peter.
>