[Opendnssec-develop] Creating keys

Roy Arends roy at nominet.org.uk
Tue Dec 2 14:39:42 CET 2008


Roland van Rijswijk <roland.vanrijswijk at surfnet.nl> wrote on 12/02/2008 
02:18:46 PM:

> Hi Roy,
> 
> > Fwiw I do not see a market for USB tokens as a keystore in this sense. 
USB 
> > tokens tend to get lost, stolen, or left connected to a device (or 
left in 
> > a bar or taxi, if you work for British Government). Note that data 
needs 
> > to be signed periodically and regularly. If you have a high value 
domain, 
> > use a proper fips-140-2 level 4 HSM. If you have huge number of highly 

> > volatile domains, use an HSM that is specifically build for 
acceleration. 
> > I think it is fine, in the general case, to have a softtoken.
> 
> I think a USB token could add something in some cases, as it provides
> better security than a softtoken. And there is of course no reason why
> the USB token could not be connected to the signer machine permanently
> (in which case it cannot easily be misplaced).
> 
> Another way to use a USB token could be as a master key for a soft 
token.
> 
> I think we should not dismiss the possibility of using USB tokens in the
> scenario's described, they are a cheap intermediate solution for
> hardware security...
> 
> On the other hand good arguments for not using USB tokens could be:
> 
> - Less durable than HSMs
> - Much slower than HSMs or a soft token (many orders of magnitude!)
> - Much harder (or even impossible) to back up
> 
> Just my 2 cents there.

Thanks Roland,

A view observations:

I want OpenDNSSEC to be PKCS11 compliant. 
It seems that we must have a discussion on what compliancy actually 
entails. One extreme is full v2.20 with all the tidbits, bells and 
whistles, and the other extreme is solely the very few functions, methods 
and attributes of the pkcs11 library that we need for OpenDNSSEC. 

However, what I'd like to avoid is that we restrict PKCS11 compliance to 
the least compliant device. 

Though USB tokens are very cheap and common, can be glued to a box and 
does comply with PKCS11, I would not like it to be exemplary. 

Roy Arends
Sr. Researcher
Nominet UK



More information about the Opendnssec-develop mailing list