Yes, that was the point I was trying to make, @jared.m.
NIST’s CMVP validates cryptographic modules to FIPS 140-2’s standards.
On the low cost side, there are instances of low performance, constrained resource environments which hold current FIPS 140-2 Level 3 overall certificates in the well below $5.00 category. One such example would be NXP’s JCOP OS environment (a JavaCard runtime and library set) running on P60 series NXP smart card ICs. On the high side, you have high performance HSMs and realtime encrypting high speed proprietary network interfaces costing $10s to $100s of thousands.
What FIPS 140-2 attempts to illustrate is that there are devices which MAY be utilized to achieve certain security aims if utilized appropriately.
NIST’s CMVP certificates cover equipment and configurations thereof. It does not cover use cases. It does not cover process as pertains to field operation of the equipment and appropriateness of use case of particular instances of the equipment.
I don’t understand (or accept legitimacy of) a regulatory environment in which a written statement from the CA just claiming without evidence that they utilized HSM model #xyz with certificate number ABC would ever be accepted by anyone as proof or security of compliance of any useful form.
NIST’s CMVP is about auditing products for whether there exists a way to use them securely pursuant to the goals and standards of FIPS 140-2. Blessing an entire model of a product has (thankfully) little to do with auditing or certifying a certificate authority.
A certificate authority’s audits are designed to (theoretically) ensure that a infrastructure and process in this particular per-CA instance are in keeping with standards and conventions that allow for trust in the CA’s cryptographic assertions.
Technically, a CA could load a copy of their keys – while also just using OpenSSL on a Linux box internet connected with root password of root – into a $5.00 smart card, claim in writing “We utilize SmartcardHSM for our key management” and not even be telling a lie, as long as they’re not claiming that they exclusively use the certified product.
Or a CA might say “We have a Mfg A Model B HSM with cert #123.” Nevermind that it just sits in the rack eating power, completely unused in any material sense.
I suspect the original author and his clients’ interests would be best served by consulting the various contracting agencies’ compliance officers to ensure that whatever the needs – reasonable or not – are met.
As an aside, I have to ask… If you’re service provider to a government client, why would you ever try to use a free CA (or for that matter a free anything) in serving said client? Milk them dry, everyone else does. If you use a pay-for CA you get to resell that certificate and make money on markup.
Just a (cynical) thought.