<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META content="text/html; charset=utf-8" http-equiv=Content-Type>
<STYLE>
BLOCKQUOTE {
MARGIN-TOP: 0px; MARGIN-BOTTOM: 0px; MARGIN-LEFT: 2em
}
OL {
MARGIN-TOP: 0px; MARGIN-BOTTOM: 0px
}
UL {
MARGIN-TOP: 0px; MARGIN-BOTTOM: 0px
}
P {
MARGIN-TOP: 0px; MARGIN-BOTTOM: 0px
}
BODY {
LINE-HEIGHT: 1.5; FONT-FAMILY: 宋体; COLOR: #000080; FONT-SIZE: 10.5pt
}
</STYLE>
<META name=GENERATOR content="MSHTML 8.00.6001.18702"></HEAD>
<BODY style="MARGIN: 10px">
<DIV>
<DIV>>This is very surprising to me, as we have proven interoperability with quite a few HSMs; see https://wiki.opendnssec.org/display/DOCREF/HSM for a full list</DIV>
<DIV> </DIV>
<DIV>Yes, I have seen that page.</DIV>
<DIV> </DIV>
<DIV>>What venders have you been talking to?</DIV>
<DIV> </DIV>
<DIV>We have been talking to a vendor in China.
<DIV>I think the vendor we have been talking to in our country abides the rules of some</DIV>
<DIV>authorities, and we are afraid that foreign products may not pass the authentication</DIV>
<DIV>of the security authority here. So what you have tested
may not be suitable for us...</DIV>
<DIV>OMG!</DIV>
<DIV> </DIV>
<DIV>Best regards,</DIV>
<DIV>Stuart</DIV></DIV></DIV>
<DIV> </DIV>
<DIV
style="BORDER-BOTTOM: medium none; BORDER-LEFT: medium none; PADDING-BOTTOM: 0cm; PADDING-LEFT: 0cm; PADDING-RIGHT: 0cm; BORDER-TOP: #b5c4df 1pt solid; BORDER-RIGHT: medium none; PADDING-TOP: 3pt">
<DIV
style="PADDING-BOTTOM: 8px; PADDING-LEFT: 8px; PADDING-RIGHT: 8px; BACKGROUND: #efefef; COLOR: #000000; FONT-SIZE: 12px; PADDING-TOP: 8px">
<DIV><B>From:</B> <A href="mailto:jakob@kirei.se">Jakob Schlyter</A></DIV>
<DIV><B>Date:</B> 2012-10-08 14:55</DIV>
<DIV><B>To:</B> <A href="mailto:shuoleo@126.com">shuoleo</A></DIV>
<DIV><B>CC:</B> <A
href="mailto:opendnssec-user@lists.opendnssec.org">opendnssec-user</A>; <A
href="mailto:pawal@opendnssec.org">Patrik Wallstr鰉</A></DIV>
<DIV><B>Subject:</B> Re: [Opendnssec-user]</DIV></DIV></DIV>
<DIV>
<DIV>On 8 okt 2012, at 08:30, 刘硕 <shuoleo@126.com> wrote:</DIV>
<DIV> </DIV>
<DIV>> We have been testing DNSSEC with OpenDNSSEC+SoftHSM, it has been working well.</DIV>
<DIV>> But recently we decided to buy a HSM to replace SoftHSM to do signing work and</DIV>
<DIV>> keys storage. After consulting with some of the HSM vendors here, we found out</DIV>
<DIV>> that almost no devices can cooperate with OpenDNSSEC.</DIV>
<DIV> </DIV>
<DIV>This is very surprising to me, as we have proven interoperability with quite a few HSMs; see https://wiki.opendnssec.org/display/DOCREF/HSM for a full list</DIV>
<DIV> </DIV>
<DIV>What venders have you been talking to?</DIV>
<DIV> </DIV>
<DIV>> Take key generation for example, the vendors' HSM devices allow create keys with</DIV>
<DIV>> software API though they are both using PKCS#11, keys in HSM devices must be</DIV>
<DIV>> created manually with administrator permission and it is the same case with removing</DIV>
<DIV>> keys.</DIV>
<DIV> </DIV>
<DIV>Yes, there exists HSMs (e.g., AEP) that can limit key generation and destruction and OpenDNSSEC can be set up to work with those. However, all keys must be created via PKCS#11.</DIV>
<DIV> </DIV>
<DIV> </DIV>
<DIV>jakob</DIV>
<DIV> </DIV>
<DIV>-- </DIV>
<DIV>Jakob Schlyter</DIV>
<DIV>Kirei AB - http://www.kirei.se/</DIV>
<DIV> </DIV></DIV></BODY></HTML>