The following is a loose list of requirements for the evaluation of HSM for being used for CAcert
Non-FIPS certification |
ICP-Brasil, independent security audits |
|
Common Criteria certification |
optional |
|
FIPS level 3 equivalent |
||
http://www.adobe.com/misc/pdfs/Adobe_CDS_CPv011604clean.pdf compliant |
Non-FIPS mode available |
Detailled documentation on the differences between FIPS and Non-FIPS mode |
supported by OpenSSL |
out-of-the-box? |
|
supported by GnuPG |
out-of-the-box? |
|
supported by CryptLib |
||
supported by EJBCA |
||
Standalone, not as PCI card |
||
Performance: Minimum 1 Sig/Second |
||
Training courses for Operators and Developers |
||
SDK available for custom software in the HSM |
||
Crypto-Key splitting across multiple HSMs |
||
Threshold crypto across multiple HSMs |
||
Which application layer do they offer? PKCS#11 style RSA key/signature/decryption? Or application layer X.509 CA inside the HSM? |
Does it just store the key, or can we run the CA inside the HSM? |
|
HSM-clustering |
||
Requirements for HSM-clustering |
Maximum latency for each link. Does the cluster have to have a maximum size of 30 kilometers? |
|
Which algorithms are supported? |
||
If ECC is supported, can we turn it off, to guarantee that it canĀ“t be used? |
||
GOST support |
||
Which padding algorithms are supported? |
||
What are the temperature, humidity and barometric pressure requirements? |
||
Does it use Chinese Remainder theorem optimisation for RSA? |
||
Can it also work on RSA without the Chinese Remainder optimisation? |
HSM pages