For anyone who has installed Cascade already and has also installed/is using kmip2pkcs11, please be aware that we are in the process of renaming it from kmip2pkcs11to cascade-hsm-bridge.
What is this about?
kmip2pkcs11is a tool we created to enable Cascade to use Hardware Security Modules (HSMs) to generate cryptographic keys and sign data with them, without having to load untrusted 3rd party PKCS#11 module code into its running process.
PKCS#11 is the most widely supported HSM interface, but being a C programming language based interface, using it in Cascade would negate the guarantees provided by the Rust programming language in which Cascade is written, and expand and complicate its threat model, configuration, logging and resource usage.
As there are HSMs that support the alternate KMIP TCP network based HSM interface specification we chose to shield Cascade from PKCS#11 by having it support only KMIP compatible HSMs, and provide a tool, kmip2pkcs11, to bridge the gap between Cascade and PKCS#11 compatible HSMs and isolate the risk in that separate tool.
What is changing?
kmip2pkcs11 as a name says literally what it does, but is difficult to say and write, meaningless if you don’t know what KMIP or PKCS#11 are, not obviously related to Cascade, and over promises as we only support the minimal subset of the KMIP and PKCS#11 specifications that Cascade needs, not the full scope of the specifications.
We wanted a more meaningful name, a name obviously related to Cascade, a name that is easier to say and to write, and we want to change the name before we start making production ready releases of Cascade as once we have production users the interfaces that we expose should remain as stable as possible.
As a result we are currently in the process of updating all references to kmip2pkcs11 in Cascade and its related tooling and documentation to cascade-hsm-bridge.
We hope this post explains what we are doing and why, and helps avoid confusion for users who have already installed Cascade and kmip2pkcs11 prior to the rename.