[Opendnssec-develop] HSM vendors and common key attributes

Rick van Rein rick at openfortress.nl
Tue Dec 2 14:10:31 CET 2008


Hi,

> In order to gauge how strict, please list the type of HSM to your avail 
> that you will be able to test OpenDNSSEC against.

I have a pile of USB tokens that I've worked with, from all sorts of make.
As Roland wrote, they are not as compatible as HSMs are.  Still, I think
it is good to document the trouble I've seen.

> And here the attributes I'd recommend to have:
> 
> CKA_KEY_TYPE
> CKA_LOCAL = CK_TRUE
  -> I have had trouble with this one
> CKA_SIGN = CK_TRUE
> CKA_EXTRACTABLE = CK_FALSE
> CKA_NEVER_EXTRACTABLE = CK_TRUE
  -> I have had trouble with this one
> CKA_SENSITIVE = CK_TRUE
> CKA_ALWAYS_SENSITIVE = CK_TRUE
  -> I have had trouble with this one

Token middleware that solved the mentioned trouble: SafeSign and EnterSafe.
SafeSign is used for G&D STARCOS, Utimaco tokens.
EnterSafe is used for ePass tokens.


Cheers,
 -Rick



More information about the Opendnssec-develop mailing list