[Dnssec-deployment] HSMs and key holding capacity
Edward Lewis
Ed.Lewis at neustar.biz
Thu Mar 11 16:35:57 EST 2010
At 10:14 +1300 3/12/10, Sebastian Castro wrote:
>Anyone knows how many keys a typical HSM can handle? is it in the order
>of hundreds? thousands? How current key management software/products
>behave with lots (order of hundreds) keys?
In-memory the number of keys is fairly limited (I forget the numbers
we heard, 10's, 100's?). But HSMs can export keys and re-import keys
in an encrypted format that maintains the same level (US NIST FIPS
140-2 terminology) as if the keys weren't exported. With that
feature the number of keys is limited by non-HSM factors, for
example, storage capacity and the time budget for swapping keys.
I've been told that vendors suggest you to buy more units and gang
them together to increase your key holding capacity. (Who wouldn't
see that coming!)
--
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Edward Lewis
NeuStar You can leave a voice message at +1-571-434-5468
As with IPv6, the problem with the deployment of frictionless surfaces is
that they're not getting traction.
More information about the Dnssec-deployment
mailing list