Microchip CryptoAuthentication Device and the future of pfSense



  • I came across the latest Netgate blog post and I stumbled upon two sentences:

    We’ve come up with a solution we believe will give our customers the secure networking software assurance they expect and deserve, while allowing others to continue to fork the software under the current Apache2 license (just don’t call it “pfSense”).

    The pilot program gives us a great opportunity to field test the solution end to end, and iron out any wrinkles. In time, we plan to outfit all new Netgate products, previously sold products, non-Netgate products, and even virtual machine instances with the same assurance. Further, there is potential to take product verification much further - to the benefit of even greater customer value.

    This seems to suggest that we will need a "Microchip CryptoAuthentication Device" to run original pfSense.
    Does this mean, at some point in the future, pfSense will no longer be available as a free product? Do we need to buy an authentication device or certificate to be able to run the application?

    I just ask to be clear and to have a clear vision for our future plans regarding pfSense.



  • How did you extrapolate any of that from those two sentences?



  • Mainly because of the combination of providing a solution wich requires hardware and mentioning the requirement of forking the software. The hint on the being able to fork didn't make much sense - at least for me.

    I'm not a native speaker so I may have gotten something wrong here. So I was just asking to clarify this point.



  • While I cannot speak for the developers, I believe they are indicating that they are going to be adding features that will work with their own branded hardware, such as dedicated cryptography chips, but will also work regardless of the platform. Embedded cryptography silicon is becoming more common, and it provides a lot of additional capabilities to developers and hardware manufacturers. If your platform has these additional capabilities, then the software will be able to take advantage of them, just like pfSense does now.

    I do not think they are going to lock down the software to their own hardware or add any restrictions on the hardware most folks are currently using (hey, there's even improved RealTek support from the community). That's never been the case, and they would alienate the massive user base they currently serve.