[Opendnssec-develop] SoftHSM

Roland van Rijswijk roland.vanrijswijk at surfnet.nl
Tue Dec 2 13:05:53 CET 2008


Hello,

> The nuisance of this is that OpenDNSSEC, to be practical, would have to be
> configurable for the CKA_xxx flags it relies on, just to make up for any
> half-done middlewares.  I'd love to believe that HSM manufacturers are
> doing better, but honestly I doubt it.

In my experience, HSM manufacturers generally do a better job of
implementing PKCS #11 libraries than smart card manufacturers. Keep in
mind that HSMs are an order of magnitude more expensive and complex than
smart cards so they _need_ to support more CKA_xyz attributes.
Manufacturers of HSMs generally put more effort into their P #11
libraries. The only problem is that it is common practice for HSM
manufacturers to 'extend' the PKCS #11 API with vendor specific
functionality. In my opinion, if possible this kind of vendor specific
functionality should not be relied on.

On another note: even the worst smart card manufacturers implement the
common CKA_xyz attributes. Though I agree with Rick that there are many
bad implementations, this should not deter you from correctly using PKCS
#11 attributes. Maybe it is a good idea to give an insight into which
flags and attributes you want to use. I - and I believe Rick as well -
should be able to tell you what the correct usage of these attributes is
and whether or not they are commonly used...

Cheers,

Roland.

-- 

-- Roland M. van Rijswijk
-- SURFnet Middleware Services
-- t: +31-30-2305388
-- e: roland.vanrijswijk at surfnet.nl



More information about the Opendnssec-develop mailing list