[Opendnssec-develop] Creating keys

Patrik Wallstrom patrik.wallstrom at iis.se
Mon Dec 1 11:52:42 CET 2008


On Nov 28, 2008, at 9:52 PM, Roland van Rijswijk wrote:

>> I agree, key backup is outside the scope of OpenDNSSEC and should  
>> be done according to the mechanism designed by the HSM  
>> manufacturer. Ability to do this would be a consideration when  
>> selecting an HSM or soft token.
>
> I agree as well, I know of quite a few HSM manufacturers that use  
> the model described above (master key in the HSM, actual key  
> material stored on disk with ways to restore the master key). A good  
> example is nCipher.
>
> I'm pretty sure each manufacturer provides their own methods for  
> backing up and restoring key material and also for duplicating  
> security worlds across multiple distributed HSMs.
>
> In my opinion, functionality like key backup should be addressed in  
> something like a manual (it's something operators should at least  
> think about) but should not be solved by OpenDNSSEC. HSM  
> manufacturers have much more experience in this which should be  
> leveraged. Unfortunately they also have widely varying  
> implementations which makes it hard to specify a single statement on  
> how to go about backing up your keys :-(.

Even though backup of keys is outside the scope of our project, maybe  
details on how each HSM handles backup and key storage is something we  
should add to the Wiki on the HSM Comparison page?

http://www.opendnssec.se/wiki/HSM/Comparison

-- 
Patrik Wallström
Project Manager, R&D
.SE (Stiftelsen för Internetinfrastruktur)
E-mail: patrik.wallstrom at iis.se
Web: http://www.iis.se/

-------------- next part --------------
A non-text attachment was scrubbed...
Name: PGP.sig
Type: application/pgp-signature
Size: 194 bytes
Desc: This is a digitally signed message part
URL: <https://lists.opendnssec.org/pipermail/opendnssec-develop/attachments/20081201/87e7e89a/attachment.sig>


More information about the Opendnssec-develop mailing list