<html><head><meta http-equiv="content-type" content="text/html; charset=utf-8"></head><body dir="auto"><div>Maybe move this dicussion to the user list since replies from Sebastian will get stuck for approval and info might be useful for others?<br>
<br><span style="background-color:rgba(255,255,255,0)">-- <br>Jerry Lundström - OpenDNSSEC Developer<br><a href="http://www.opendnssec.org/" target="_blank">http://www.opendnssec.org/</a></span></div><div><br>On 6 feb 2014, at 11:08, Jakob Schlyter <<a href="mailto:jakob@kirei.se">jakob@kirei.se</a>> wrote:<br>
<br></div><div><span></span></div><blockquote type="cite"><div><span>On 6 feb 2014, at 08:03, Matthijs Mekking <<a href="mailto:matthijs@NLnetLabs.nl">matthijs@NLnetLabs.nl</a>> wrote:</span><br><span></span><br><blockquote type="cite">
<span>During the OpenDNSSEC tutorial, I one of the attendants asked me if USB</span><br></blockquote><blockquote type="cite"><span>or PCI-based HSM worked well with virtualization, for example, to deploy</span><br></blockquote>
<blockquote type="cite"><span>an HSM to a host and run a bunch of virtual servers to provide the</span><br></blockquote><blockquote type="cite"><span>signing service to different "customers". Do you have any experience</span><br>
</blockquote><blockquote type="cite"><span>around that topic? Feel free to discuss the idea internally.</span><br></blockquote><span></span><br><span>Passthrough would only work for one virtual server at a time, so sharing would not be very useful.</span><br>
<span>I would look into a PKCS#11 proxy [1] instead, basically creating your own networked HSM with a USB/PCI backend.</span><br><span></span><br><span>However, the "customers" would need to trust each somewhat, as they actually share tokens within the same HSM.</span><br>
<span></span><br><span>    jakob</span><br><span></span><br><span></span><br><span>[1] <a href="https://github.com/SUNET/pkcs11-proxy">https://github.com/SUNET/pkcs11-proxy</a></span><br><span></span><br><span>_______________________________________________</span><br>
<span>Opendnssec-develop mailing list</span><br><span><a href="mailto:Opendnssec-develop@lists.opendnssec.org">Opendnssec-develop@lists.opendnssec.org</a></span><br><span><a href="https://lists.opendnssec.org/mailman/listinfo/opendnssec-develop">https://lists.opendnssec.org/mailman/listinfo/opendnssec-develop</a></span><br>
</div></blockquote></body></html>