Rick van Rein
rick at openfortress.nl
Tue Dec 2 11:53:15 UTC 2008
-----BEGIN PGP SIGNED MESSAGE-----
Thank you for the good discussion topics on this list. As introduced by
Roy last week, I've done a lot of PKCS #11 application development at
OpenFortress, and will try to add my twopence to this discussion.
> To be clear, OpenDNSSEC is also capable of using a real HSM, one that
> might store keys for encryption purposes as well. So if a pkcs11 template
> is generated for a request, I'd like to contain CKA_SIGN=TRUE (at least)
> and maybe even CKA_DECRYPT=FALSE.
There are several CKA_xxx attributes, and many are worthwhile to use.
Among my favourites are the flags that tell the PKCS #11 implementation
to avoid export, and to enforce keys having been generated on-token.
It has been my experience (mainly with USB tokens and smart cards) that
support for the CKA_xxx flags is not proper and complete for most of the
tokens, making many libraries will fail if you are over-explicit. I've
been talking to quite a few manufacturers and got such flags implemented,
but count on a period of months to wait before any middleware is improved
if you rely on CKA_xxx flags too heavily. My impression is that most
token middleware is developed to work with a few browsers and a handful
of mailers, and then shipped off. The remaining flags often remain as
TODO items until someone complains about them.
> In short, the softtoken does need to
> understand (or ignore, but not fail) those attributes.
This is precisely what worries me. Ideally, I'd agree. Practically though,
it may be a serious show-stopper when deploying the OpenDNSSEC daemon on a
given piece of hardware.
The nuisance of this is that OpenDNSSEC, to be practical, would have to be
configurable for the CKA_xxx flags it relies on, just to make up for any
half-done middlewares. I'd love to believe that HSM manufacturers are
doing better, but honestly I doubt it.
Rick van Rein
OpenFortress Digital signatures
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v22.214.171.124 (GNU/Linux)
Comment: New to PGP? http://openfortress.nl/doc/essay/OpenPGP/index.nl.html
-----END PGP SIGNATURE-----
More information about the Opendnssec-develop