Re: [Cfrg] FIPS or equivalent approvals

Phillip Hallam-Baker <> Tue, 29 July 2014 18:16 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id AE1A21A0091 for <>; Tue, 29 Jul 2014 11:16:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.278
X-Spam-Status: No, score=-1.278 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FM_FORGED_GMAIL=0.622, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 48Of3xrRmjlW for <>; Tue, 29 Jul 2014 11:16:29 -0700 (PDT)
Received: from ( [IPv6:2a00:1450:4010:c03::234]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 727221B2A0A for <>; Tue, 29 Jul 2014 11:16:29 -0700 (PDT)
Received: by with SMTP id e16so28859lan.39 for <>; Tue, 29 Jul 2014 11:16:27 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20120113; h=mime-version:sender:in-reply-to:references:date:message-id:subject :from:to:cc:content-type; bh=0hN2OZVdEiL7BJS/y3HGMwyRUkp+AQkbSSqz1urJg8Q=; b=PGeSXo0S74MNJUaEbY4VX2YbipipuNtVpurOLOS4VQ6Zjy660Jt4uvzvATP3LcUWt3 rThDKWsZqWkBAgPZPl1IO5KwrCBTgNjkBCDiMBm5EbLEJXc5jkLrCUFhwddEG+qFj/I4 32ZxeyS0Mrf9gEidTiAqOX3C5UGzIKmHLgvag45eD9mrFzZtuX9xi69VgU3kWwkQ50ir M82g6vvIj46CqGOb5kxDF9zU+GZ1gQjLCDaRYeYSs0jeU7DTQSlVvcLPgJ5sZP1kUeop t+3nOMXSyLRzt8hNqSLMunWZr8w1qPWfaKSGwmTXYvsSIbOAl1pOe0y7715EmO1YnUu5 lRkg==
MIME-Version: 1.0
X-Received: by with SMTP id v5mr4253359lag.84.1406657787544; Tue, 29 Jul 2014 11:16:27 -0700 (PDT)
Received: by with HTTP; Tue, 29 Jul 2014 11:16:27 -0700 (PDT)
In-Reply-To: <>
References: <> <>
Date: Tue, 29 Jul 2014 14:16:27 -0400
X-Google-Sender-Auth: T7MU6UVRp3Mb3tvvNyMSV3QNutY
Message-ID: <>
From: Phillip Hallam-Baker <>
To: "Salz, Rich" <>
Content-Type: text/plain; charset="UTF-8"
Cc: "" <>
Subject: Re: [Cfrg] FIPS or equivalent approvals
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 29 Jul 2014 18:16:32 -0000

On Tue, Jul 29, 2014 at 11:45 AM, Salz, Rich <> wrote:
>> If we are going to use the new curves in PKIX (a major part of TLS) we are
>> going to need trustworthy HSMs.
> I disagree with the idea that PKIX is a major part of TLS, the implication that RSA 2K certs need to be replaced quickly, and that HSM's are needed by the CA's.
> Other then that, the sentence is fine. :)

That depends on your definition of 'quickly'. I don't intend to do
this according to the 'waterfall' development model where anyone who
looks ahead more than one problem at a time gets told to wait for what
turns out to be three years for a decision. We have seen the result of
that approach in IPv6 and DNSSEC.

If this group wants to make the decision it is going to have to allow
for parallel processing of things that can be done in parallel. It
will take a little while for the hardware folk to take notice. And
some of those vendors have expertise that I think is rather useful,
they have been facing issues such as side channels for a long time.

Given that this is essentially a bikeshedding decision process, one of
the criteria is going to be which curve's supporters is willing to do
most to persuade people that they will win.

As for CAs not needing HSMs, I don't think any of the browser
providers is going to accept a root that is not protected by some
FIPS-140 equivalent validated HSM with multiple separation of duties

We will need the whole industry on board in the end. At least in
nCipher, Aladdin, Intel, AMD, ARM etc are asked early on they won't
have an excuse to complain later.

Making the approach is a signal to their people to think about
planning to put some of this stuff on their roadmaps.