[Opendnssec-develop] SoftHSM
Rick van Rein
rick at openfortress.nl
Tue Dec 2 12:59:02 UTC 2008
Hi,
> In my experience, HSM manufacturers generally do a better job of
> implementing PKCS #11 libraries than smart card manufacturers.
Glad to hear it. Even though I believe USB tokens should be taken
into consideration, they are so widespread that one that works will
suffice.
> Keep in
> mind that HSMs are an order of magnitude more expensive and complex than
> smart cards so they _need_ to support more CKA_xyz attributes.
I considered it, but wondered if their total income would be higher than
that of token manufacturers. Alas, I have no experience with HSMs.
> On another note: even the worst smart card manufacturers implement the
> common CKA_xyz attributes. Though I agree with Rick that there are many
> bad implementations, this should not deter you from correctly using PKCS
> #11 attributes. Maybe it is a good idea to give an insight into which
> flags and attributes you want to use. I - and I believe Rick as well -
> should be able to tell you what the correct usage of these attributes is
> and whether or not they are commonly used...
Yes, indeed.
-Rick
More information about the Opendnssec-develop
mailing list