[Opendnssec-develop] SoftHSM

Roy Arends roy at nominet.org.uk
Tue Dec 2 13:05:44 CET 2008


Rick van Rein wrote on 12/02/2008 12:53:15 PM:

> Hello,
> 
> Thank you for the good discussion topics on this list.  As introduced by
> Roy last week, I've done a lot of PKCS #11 application development at
> OpenFortress, and will try to add my twopence to this discussion.
> 
> > To be clear, OpenDNSSEC is also capable of using a real HSM, one that 
> > might store keys for encryption purposes as well. So if a pkcs11 
template 
> > is generated for a request, I'd like to contain CKA_SIGN=TRUE (at 
least) 
> > and maybe even CKA_DECRYPT=FALSE.
> 
> There are several CKA_xxx attributes, and many are worthwhile to use.
> Among my favourites are the flags that tell the PKCS #11 implementation
> to avoid export, and to enforce keys having been generated on-token.
> 
> It has been my experience (mainly with USB tokens and smart cards) that
> support for the CKA_xxx flags is not proper and complete for most of the
> tokens, making many libraries will fail if you are over-explicit.  I've
> been talking to quite a few manufacturers and got such flags 
implemented,
> but count on a period of months to wait before any middleware is 
improved
> if you rely on CKA_xxx flags too heavily.  My impression is that most
> token middleware is developed to work with a few browsers and a handful
> of mailers, and then shipped off.  The remaining flags often remain as
> TODO items until someone complains about them.
> 
> > In short, the softtoken does need to 
> > understand (or ignore, but not fail) those attributes.
> 
> This is precisely what worries me.  Ideally, I'd agree.  Practically 
though,
> it may be a serious show-stopper when deploying the OpenDNSSEC daemon on 
a
> given piece of hardware.
> 
> The nuisance of this is that OpenDNSSEC, to be practical, would have to 
be
> configurable for the CKA_xxx flags it relies on, just to make up for any
> half-done middlewares.  I'd love to believe that HSM manufacturers are
> doing better, but honestly I doubt it.

So much for PKCS11 compliant then.

I'll start a new thread on the list to eh, list the equipment we can test 
OpenDNSSEC's PKCS11 compliance reqs against.

Thanks for the info on this.

Roy Arends
Sr Researcher.
Nominet UK







More information about the Opendnssec-develop mailing list