RE: SSL Certs and FIPS 140-2 Compliance

Hello all!

I was just trying to find the document or paragraph that specifically states
that the private key for an SSL/TLS certificate may not exist in more than 1
physical location.  Does anyone on the list have that information?

I've read through "FIPS PUB 140-2 Security Requirements for Cryptographic
Modules" and "Implementation Guidance for FIPS PUB 140-2 and Cryptographic
Module Validation Program" and I could not find any references to:
Centralized Storage of Keys, Single Instance Storage of a Private or Secret
Key for a key pair OR certificate, Non-Duplication of Keys, etc...

Much appreciated.


John


-----Original Message-----
From: Lionel Ferette [mailto:lionel.ferette@xxxxxxxxx] 
Sent: Monday, August 22, 2005 11:41 PM
To: websecurity@xxxxxxxxxxxxx
Cc: Ryan Barnett
Subject: Re: [WEB SECURITY] SSL Certs and FIPS 140-2 Compliance

Ryan, List, greetings!

In the wise words of Ryan Barnett, on Monday 22 August 2005 22:43:
> I am hoping that some other people on this list have some info on this 
> area.  I will try and make it brief.
[SNIP Concise and precise description]

> The FIPS compliancy issue seems to be that the SSL signed cert and 
> private key should only exist in one location - otherwise this 
> violates the whole reuse of keys sections.  In this case, FIPS is 
> making it difficult to leverage typical load-balancing 
> implementations.
The way you describe it, I'm also afraid that the one location requirement
is not met, indeed.

> Has anyone else, who works with the government, run into a similar 
> scenario?  The only option that we are kicking around is to implement 
> some sort of hardware SSL accelerator on the network and consolidate 
> our SSL functions on this host.
My own experience only relates to the banking sector, and the only solution
we found was to use a shared HSM, like nCipher's netHSM (which is FIPS 140-2
level 3 certified, incidentally). They don't come cheap, unfortunately, and
we had to drop their use for SSL. We used an HSM for the CA, though.

(Standard disclaimer: I'm not affiliated to nCipher, there are certainly
other products that perform the same function, but I have no first-hand
experience with them).

HTH,

Lionel

--
"To understand how progress failed to make our lives easier, please press 3"

Lionel Ferette
BELNET CERT Coordinator

Tel: +32 2 7903385                  http://cert.belnet.be/
Fax: +33 2 7903375                  PGP Key Id: 0x5662FD4B