[Opendnssec-develop] Creating keys
Roy Arends
roy at nominet.org.uk
Tue Dec 2 13:39:42 UTC 2008
Roland van Rijswijk <roland.vanrijswijk at surfnet.nl> wrote on 12/02/2008
02:18:46 PM:
> Hi Roy,
>
> > Fwiw I do not see a market for USB tokens as a keystore in this sense.
USB
> > tokens tend to get lost, stolen, or left connected to a device (or
left in
> > a bar or taxi, if you work for British Government). Note that data
needs
> > to be signed periodically and regularly. If you have a high value
domain,
> > use a proper fips-140-2 level 4 HSM. If you have huge number of highly
> > volatile domains, use an HSM that is specifically build for
acceleration.
> > I think it is fine, in the general case, to have a softtoken.
>
> I think a USB token could add something in some cases, as it provides
> better security than a softtoken. And there is of course no reason why
> the USB token could not be connected to the signer machine permanently
> (in which case it cannot easily be misplaced).
>
> Another way to use a USB token could be as a master key for a soft
token.
>
> I think we should not dismiss the possibility of using USB tokens in the
> scenario's described, they are a cheap intermediate solution for
> hardware security...
>
> On the other hand good arguments for not using USB tokens could be:
>
> - Less durable than HSMs
> - Much slower than HSMs or a soft token (many orders of magnitude!)
> - Much harder (or even impossible) to back up
>
> Just my 2 cents there.
Thanks Roland,
A view observations:
I want OpenDNSSEC to be PKCS11 compliant.
It seems that we must have a discussion on what compliancy actually
entails. One extreme is full v2.20 with all the tidbits, bells and
whistles, and the other extreme is solely the very few functions, methods
and attributes of the pkcs11 library that we need for OpenDNSSEC.
However, what I'd like to avoid is that we restrict PKCS11 compliance to
the least compliant device.
Though USB tokens are very cheap and common, can be glued to a box and
does comply with PKCS11, I would not like it to be exemplary.
Roy Arends
Sr. Researcher
Nominet UK
More information about the Opendnssec-develop
mailing list