[Opendnssec-develop] SoftHSM

Rick van Rein rick at openfortress.nl
Tue Dec 2 11:53:15 UTC 2008

Hash: SHA1


Thank you for the good discussion topics on this list.  As introduced by
Roy last week, I've done a lot of PKCS #11 application development at
OpenFortress, and will try to add my twopence to this discussion.

> To be clear, OpenDNSSEC is also capable of using a real HSM, one that 
> might store keys for encryption purposes as well. So if a pkcs11 template 
> is generated for a request, I'd like to contain CKA_SIGN=TRUE (at least) 
> and maybe even CKA_DECRYPT=FALSE.

There are several CKA_xxx attributes, and many are worthwhile to use.
Among my favourites are the flags that tell the PKCS #11 implementation
to avoid export, and to enforce keys having been generated on-token.

It has been my experience (mainly with USB tokens and smart cards) that
support for the CKA_xxx flags is not proper and complete for most of the
tokens, making many libraries will fail if you are over-explicit.  I've
been talking to quite a few manufacturers and got such flags implemented,
but count on a period of months to wait before any middleware is improved
if you rely on CKA_xxx flags too heavily.  My impression is that most
token middleware is developed to work with a few browsers and a handful
of mailers, and then shipped off.  The remaining flags often remain as
TODO items until someone complains about them.

> In short, the softtoken does need to 
> understand (or ignore, but not fail) those attributes.

This is precisely what worries me.  Ideally, I'd agree.  Practically though,
it may be a serious show-stopper when deploying the OpenDNSSEC daemon on a
given piece of hardware.

The nuisance of this is that OpenDNSSEC, to be practical, would have to be
configurable for the CKA_xxx flags it relies on, just to make up for any
half-done middlewares.  I'd love to believe that HSM manufacturers are
doing better, but honestly I doubt it.


Rick van Rein
OpenFortress Digital signatures

Version: GnuPG v1.4.2.2 (GNU/Linux)
Comment: New to PGP? http://openfortress.nl/doc/essay/OpenPGP/index.nl.html


More information about the Opendnssec-develop mailing list