roy at nominet.org.uk
Tue Dec 2 13:05:44 CET 2008
Rick van Rein wrote on 12/02/2008 12:53:15 PM:
> Thank you for the good discussion topics on this list. As introduced by
> Roy last week, I've done a lot of PKCS #11 application development at
> OpenFortress, and will try to add my twopence to this discussion.
> > To be clear, OpenDNSSEC is also capable of using a real HSM, one that
> > might store keys for encryption purposes as well. So if a pkcs11
> > is generated for a request, I'd like to contain CKA_SIGN=TRUE (at
> > and maybe even CKA_DECRYPT=FALSE.
> There are several CKA_xxx attributes, and many are worthwhile to use.
> Among my favourites are the flags that tell the PKCS #11 implementation
> to avoid export, and to enforce keys having been generated on-token.
> It has been my experience (mainly with USB tokens and smart cards) that
> support for the CKA_xxx flags is not proper and complete for most of the
> tokens, making many libraries will fail if you are over-explicit. I've
> been talking to quite a few manufacturers and got such flags
> but count on a period of months to wait before any middleware is
> if you rely on CKA_xxx flags too heavily. My impression is that most
> token middleware is developed to work with a few browsers and a handful
> of mailers, and then shipped off. The remaining flags often remain as
> TODO items until someone complains about them.
> > In short, the softtoken does need to
> > understand (or ignore, but not fail) those attributes.
> This is precisely what worries me. Ideally, I'd agree. Practically
> it may be a serious show-stopper when deploying the OpenDNSSEC daemon on
> given piece of hardware.
> The nuisance of this is that OpenDNSSEC, to be practical, would have to
> configurable for the CKA_xxx flags it relies on, just to make up for any
> half-done middlewares. I'd love to believe that HSM manufacturers are
> doing better, but honestly I doubt it.
So much for PKCS11 compliant then.
I'll start a new thread on the list to eh, list the equipment we can test
OpenDNSSEC's PKCS11 compliance reqs against.
Thanks for the info on this.
More information about the Opendnssec-develop