[Opendnssec-develop] SoftHSM

Rick van Rein rick at openfortress.nl
Tue Dec 2 13:59:02 CET 2008


Hi,

> In my experience, HSM manufacturers generally do a better job of
> implementing PKCS #11 libraries than smart card manufacturers.

Glad to hear it.  Even though I believe USB tokens should be taken
into consideration, they are so widespread that one that works will
suffice.

> Keep in
> mind that HSMs are an order of magnitude more expensive and complex than
> smart cards so they _need_ to support more CKA_xyz attributes.

I considered it, but wondered if their total income would be higher than
that of token manufacturers.  Alas, I have no experience with HSMs.

> On another note: even the worst smart card manufacturers implement the
> common CKA_xyz attributes. Though I agree with Rick that there are many
> bad implementations, this should not deter you from correctly using PKCS
> #11 attributes. Maybe it is a good idea to give an insight into which
> flags and attributes you want to use. I - and I believe Rick as well -
> should be able to tell you what the correct usage of these attributes is
> and whether or not they are commonly used...

Yes, indeed.

-Rick



More information about the Opendnssec-develop mailing list