[Opendnssec-develop] HSM vendors and common key attributes
Rick van Rein
rick at openfortress.nl
Tue Dec 2 13:10:31 UTC 2008
Hi,
> In order to gauge how strict, please list the type of HSM to your avail
> that you will be able to test OpenDNSSEC against.
I have a pile of USB tokens that I've worked with, from all sorts of make.
As Roland wrote, they are not as compatible as HSMs are. Still, I think
it is good to document the trouble I've seen.
> And here the attributes I'd recommend to have:
>
> CKA_KEY_TYPE
> CKA_LOCAL = CK_TRUE
-> I have had trouble with this one
> CKA_SIGN = CK_TRUE
> CKA_EXTRACTABLE = CK_FALSE
> CKA_NEVER_EXTRACTABLE = CK_TRUE
-> I have had trouble with this one
> CKA_SENSITIVE = CK_TRUE
> CKA_ALWAYS_SENSITIVE = CK_TRUE
-> I have had trouble with this one
Token middleware that solved the mentioned trouble: SafeSign and EnterSafe.
SafeSign is used for G&D STARCOS, Utimaco tokens.
EnterSafe is used for ePass tokens.
Cheers,
-Rick
More information about the Opendnssec-develop
mailing list