1.0 Frequently Asked Questions
- What are Fortanix's limitations on LMS Key tree size?
Fortanix LMS implementation is a two-level Hierarchical Signature System (HSS) whose heights areL₁
andL₂
respectively. WhereL₁
is the height of the top-level tree andL₂
is the height of the secondary-level tree. The sum of theL₁
tree height andL₂
tree height must not exceed20
. For example, two trees with heightsL₁ + L₂ <= 25
. WhereL₁
andL₂
are multiple of5
. - How many signatures can an LMS key perform for the lifetime of the key?
The "key capacity" is the number of signatures that an LMS key can perform for its lifetime.
It is equal to2 ^ (L₁ + L₂)
.
For example, a (5,5) key or tree can produce 1024 signatures. - What does an LMS signature look like? How would it be verified by an external library?
See RFC8554 - Section 6.2 and RFC8708 - Section 2.2. - Is there a way to check the number of signing for LMS keys?
Users need to keep track of the number of signatures that are produced. - What RSC are we using for LMS-based certificates?
Fortanix does not format LMS keys in certificates. - Can the Fortanix PKCS#11 library handle verification for signing for external apps?
PKCS#11 will verify any valid signature within the available PKCS#11 supported mechanisms as long as the input signature is in a format that PKCS#11 understands. LMS is not supported in PKCS#11. - What are Fortanix’s stance and best practices for CSR generations?
Some best practices are:
- Add the CA key inside Fortanix DSM and adequately verify the CSR for authentication before signing.
Comments
Please sign in to leave a comment.