[Opendnssec-develop] Creating keys
roy at nominet.org.uk
Tue Dec 2 13:39:42 UTC 2008
Roland van Rijswijk <roland.vanrijswijk at surfnet.nl> wrote on 12/02/2008
> Hi Roy,
> > Fwiw I do not see a market for USB tokens as a keystore in this sense.
> > tokens tend to get lost, stolen, or left connected to a device (or
> > a bar or taxi, if you work for British Government). Note that data
> > to be signed periodically and regularly. If you have a high value
> > use a proper fips-140-2 level 4 HSM. If you have huge number of highly
> > volatile domains, use an HSM that is specifically build for
> > I think it is fine, in the general case, to have a softtoken.
> I think a USB token could add something in some cases, as it provides
> better security than a softtoken. And there is of course no reason why
> the USB token could not be connected to the signer machine permanently
> (in which case it cannot easily be misplaced).
> Another way to use a USB token could be as a master key for a soft
> I think we should not dismiss the possibility of using USB tokens in the
> scenario's described, they are a cheap intermediate solution for
> hardware security...
> On the other hand good arguments for not using USB tokens could be:
> - Less durable than HSMs
> - Much slower than HSMs or a soft token (many orders of magnitude!)
> - Much harder (or even impossible) to back up
> Just my 2 cents there.
A view observations:
I want OpenDNSSEC to be PKCS11 compliant.
It seems that we must have a discussion on what compliancy actually
entails. One extreme is full v2.20 with all the tidbits, bells and
whistles, and the other extreme is solely the very few functions, methods
and attributes of the pkcs11 library that we need for OpenDNSSEC.
However, what I'd like to avoid is that we restrict PKCS11 compliance to
the least compliant device.
Though USB tokens are very cheap and common, can be glued to a box and
does comply with PKCS11, I would not like it to be exemplary.
More information about the Opendnssec-develop