[Opendnssec-develop] Creating keys

Roland van Rijswijk roland.vanrijswijk at surfnet.nl
Tue Dec 2 13:18:46 UTC 2008

Hi Roy,

> Fwiw I do not see a market for USB tokens as a keystore in this sense. USB 
> tokens tend to get lost, stolen, or left connected to a device (or left in 
> a bar or taxi, if you work for British Government). Note that data needs 
> to be signed periodically and regularly. If you have a high value domain, 
> use a proper fips-140-2 level 4 HSM. If you have huge number of highly 
> volatile domains, use an HSM that is specifically build for acceleration. 
> I think it is fine, in the general case, to have a softtoken.

I think a USB token could add something in some cases, as it provides
better security than a softtoken. And there is of course no reason why
the USB token could not be connected to the signer machine permanently
(in which case it cannot easily be misplaced).

Another way to use a USB token could be as a master key for a soft token.

I think we should not dismiss the possibility of using USB tokens in the
scenario's described, they are a cheap intermediate solution for
hardware security...

On the other hand good arguments for not using USB tokens could be:

- Less durable than HSMs
- Much slower than HSMs or a soft token (many orders of magnitude!)
- Much harder (or even impossible) to back up

Just my 2 cents there.




-- Roland M. van Rijswijk
-- SURFnet Middleware Services
-- t: +31-30-2305388
-- e: roland.vanrijswijk at surfnet.nl

More information about the Opendnssec-develop mailing list