On 6/04/2011, at 1:42 PM, Dean Pemberton wrote:
That's just to fiddle with the big numbers. Don't forget that you have to ask for trivial things like somewhere secure to store the numbers and the ability to tell if someone has tried to get the numbers without asking properly.
Would we really trust an HSM with ccTLD key material if it hadn't undergone some industry accepted certification process? Unfortunately to get that level of compliance, things seem to head up the cost curve pretty quickly.
Actually that last bit, FIPS 140 testing, is much cheaper than you think. The HSM market is just around the corner from being revolutionised at the low end with cheap USB devices like the Yubico that can do 10-100 sigs per second and are level 2 or level 3 compliant. BTW I'm well aware what kind of trust is needed in a ccTLD HSM ;-) Jay
Dean
On 6/04/11 12:41 PM, Timothy Goddard wrote:
HSMs are expensive for a reason. $5k a unit entirely reasonable for that sort of specialised hardware. If much more than that, you should start asking questions.
_______________________________________________ NZNOG mailing list NZNOG(a)list.waikato.ac.nz http://list.waikato.ac.nz/mailman/listinfo/nznog
-- Jay Daley Chief Executive .nz Registry Services (New Zealand Domain Name Registry Limited) desk: +64 4 931 6977 mobile: +64 21 678840