[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [dss-x] HSM Proxy DSS profile
Hi Frank, > Indeed, this Proxy HSM offers raw PKCS1 signature operations, but > using a centralized key management, whereas the idea behind Local Sig > Comp is that the client itself holds the signing token (e.g., a smart > card). > but from my point of view a HSM and a smart card is nearly the same. It doesn't have a full DSS implementation but an interface to sign PKCS1 type signatures. And there are a bunch of private keys available for signing, several thousands on a HSM, a few on a smart card. > I've read your feedback on the Local Sig Comp profile. Decomposing the > work would indeed make sense as I'm afraid that the current scope is > way too broad. No matter how the actual connection between the DSS and > the PKCS1 device has been implemented, the first problem that you need > to tackle (and that, from an interoperability point of view, actually > demands for standardization) is the protocol between the web > application and a DSS service over web browsers. Hence in my view the > first work package is constructing an OASIS DSS profile that defines > message level security as I already suggested in: > > https://lists.oasis-open.org/archives/dss-x/201209/msg00028.html > > Later on we could try to also detail on the actual DSS-PKCS1-device > protocol, but again, in my view this is merely a DSS service > implementation detail. I.e., similar to SAML where the actual > authentication mechanism is also completely out of scope as it is > business/technology specific and from an interop-point-of-view > actually doesn't matter at all. > What do you think about using DSS as the interface to the HSM, but profiled down to just produce PKCS1? We can use the existing transport security options ... Greetings, Andreas
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]