[babar]

How much of a market is there for HSMs that are not FIPS 140-2 certified?

[jnwatson]

FIPS 140-2 is not all that it is cracked up to be these days. Older algorithms, embarrassing failures in certified products, and general distrust of NIST since the Dual EC PRNG catastrophe means that the only folks that should be using FIPS 140-2 are legally required to.

(Disclosure: I once took a hardware product through the FIPS process)

[mey]

FIPS 140-2 also defines requirements around tamper evident, tamper resistant and tamper proof.

https://en.wikipedia.org/wiki/FIPS_140-2#Security_levels

It's a subsection of the larger FIPS 140.

Tamper resistant/Tamper evident (and not being able to simply pop the hsm in your pocket while walking by) are important considerations around physical security.

These look great for home or SMB use, but wouldn't work in PCI-DSS or Classified environments.

[CaliforniaKarl]

It looks like the original YubiHSM wasn't FIPS 140-2 certified either.

https://www.yubico.com/support/knowledge-base/categories/art...

Presumably, the original YubiHSM sold well enough to justify the R&D to make the YubiHSM 2, even one that's not FIPS 140-2!

[viraptor]

Everybody who isn't working for us gov. It's a big market.

[convivialdingo]

Everything in the mid to small market commercial space, basically.

I've worked on several FIPS projects, and there's not a big demand for FIPS 140-2 unless the customer is handling government contracts and/or data. It's a good checkmark to have though.