The following is a loose list of requirements for the evaluation of HSM for being used for CAcert

Non-FIPS certification

ICP-Brasil, independent security audits

Common Criteria certification


FIPS level 3 equivalent compliant

Non-FIPS mode available

Detailled documentation on the differences between FIPS and Non-FIPS mode

supported by OpenSSL


supported by GnuPG


supported by CryptLib

supported by EJBCA

Standalone, not as PCI card

Performance: Minimum 1 Sig/Second

Training courses for Operators and Developers

SDK available for custom software in the HSM

Crypto-Key splitting across multiple HSMs

Threshold crypto across multiple HSMs

Which application layer do they offer? PKCS#11 style RSA key/signature/decryption? Or application layer X.509 CA inside the HSM?

Does it just store the key, or can we run the CA inside the HSM?


Requirements for HSM-clustering

Maximum latency for each link. Does the cluster have to have a maximum size of 30 kilometers?

Which algorithms are supported?

If ECC is supported, can we turn it off, to guarantee that it canĀ“t be used?

GOST support

Which padding algorithms are supported?

What are the temperature, humidity and barometric pressure requirements?

Does it use Chinese Remainder theorem optimisation for RSA?

Can it also work on RSA without the Chinese Remainder optimisation?

HSM pages

Roots/HSM (last edited 2014-03-19 13:34:43 by SunTzuTormenta)