Subject RE: Upcoming Shibboleth changes to be aware of
From Janne Lauros <Janne.Lauros@xxxxxx>
Date Mon, 9 Aug 2010 09:53:39 +0300


>I'm very much looking forward to signing with HSM-protected keys and
>hence would be interested in a broader exchange on HSM usage for
>metadata signing. There has been little to none in this community
>(except for those running their own PKIX, but that's not strictly
>related to federation) up to date. So recommendations and exchange of
>practical experience with specific products, vendors, etc. (nShield,
>Sun SCA6000) would be very much welcome.

 In Haka federation we are now testing a solution that consists of smart card (gemalto top gx4), old metadatatool modified to support it and GUI built on top of that. We have also tried to put some effort on processes (key generation etc.), roles and facilities. We generate the metadata signatures offline, we have a dedicated room with restricted access for the operators to perform the signing and other one for cards (they are placed in secure cabinet to prevent us - evil operators - from physically tampering with them). All operator events are recorded to a log inside the smart card in case we need to check who has done what. All in all, we have tried to make it as hard as possible to loose the private key by operator mistake (or by evil operator) as possible. 

 The obvious downside in using smart card is the performance, it works okay in a offline scenario like ours but if you want to produce several signatures in a second something more powerfull is needed. The smart card is cheap though.

 Br Janne

Janne Lauros, Application Specialist, CSC PO. BOX 405 02101 Espoo, Finland, Tel +358 50 381 8416, e-mail: janne.lauros@xxxxxx