[Opendnssec-develop] Creating keys

Roland van Rijswijk roland.vanrijswijk at surfnet.nl
Tue Dec 2 13:45:43 UTC 2008

Hi Roy,

> A view observations:
> I want OpenDNSSEC to be PKCS11 compliant. 
> It seems that we must have a discussion on what compliancy actually 
> entails. One extreme is full v2.20 with all the tidbits, bells and 
> whistles, and the other extreme is solely the very few functions, methods 
> and attributes of the pkcs11 library that we need for OpenDNSSEC. 

Having written quite a few applications that used a PKCS #11 module
(both for HSMs as well as for simpler devices liken USB tokens), I can
tell you you probably won't be needing the bells and whistles. As I
stated in another mail on the list, most attributes you think we need
are such basic attributes that a device cannot be called PKCS #11
compliant if it doesn't support them.

So I'd like to look at it from another viewpoint: in my opinion, any
PKCS #11 compliant module that supports the attributes we need should
work with OpenDNSSEC.

> However, what I'd like to avoid is that we restrict PKCS11 compliance to 
> the least compliant device. 

Agreed. It should be restricted to those devices that meet our needs.

> Though USB tokens are very cheap and common, can be glued to a box and 
> does comply with PKCS11, I would not like it to be exemplary. 

True, but I think Rick may have been a tad pessimistic about the state
of PKCS #11 modules for USB tokens. On another note though: many token
vendors don't support OSes other than Windows. If you're lucky they
support some Linux distributions and Mac OS X, very few support Solaris
or BSD.

I have a proposal for a different approach: I think it makes sense to
create a simple compliancy tool that tests for the attributes and PKCS
#11 functions that OpenDNSSEC needs. Any module that passes is
supported, any module that doesn't isn't. How does that sound to you?




-- Roland M. van Rijswijk
-- SURFnet Middleware Services
-- t: +31-30-2305388
-- e: roland.vanrijswijk at surfnet.nl

More information about the Opendnssec-develop mailing list