Sharon GoldbergHi infosec mastodon. Question. Whats the standard for storing the Private Key that is used in a TLS handshake? Would you store it in an HSM?
Brian Sniffen@goldbe for big sites this is tricky! Private key has to be available to tens of thousands of CDN nodes. A “networked HSM” model is common but it’s still gonna end up in ram on the edge nodes.
Christian Huitema@briansniffen @goldbe for the small sites, the most deployed solution by far is Let's Encrypt and the associated certbot. File on disk.
@briansniffen @goldbe @goldbe asks "would you store it in an HSM". I am not sure I would know how to do that for a server running on a VM in the cloud -- would need support for AWS, Azure, or the other folks. Also, I would then need the server to store credentials to access the HSM, which feels like the first turtle in a long pile...
@briansniffen @goldbe I think this could be sold as public key computing offload. That's a major CPU bottleneck, so I could see sending a transaction from server to public key box and receiving the result as both security and perf gain. But the server will have to show creds to the public key box to get access, and that's definitely an avenue of attack.