[Opendnssec-develop] Creating keys
Roland van Rijswijk
roland.vanrijswijk at surfnet.nl
Tue Dec 2 13:45:43 UTC 2008
> A view observations:
> I want OpenDNSSEC to be PKCS11 compliant.
> It seems that we must have a discussion on what compliancy actually
> entails. One extreme is full v2.20 with all the tidbits, bells and
> whistles, and the other extreme is solely the very few functions, methods
> and attributes of the pkcs11 library that we need for OpenDNSSEC.
Having written quite a few applications that used a PKCS #11 module
(both for HSMs as well as for simpler devices liken USB tokens), I can
tell you you probably won't be needing the bells and whistles. As I
stated in another mail on the list, most attributes you think we need
are such basic attributes that a device cannot be called PKCS #11
compliant if it doesn't support them.
So I'd like to look at it from another viewpoint: in my opinion, any
PKCS #11 compliant module that supports the attributes we need should
work with OpenDNSSEC.
> However, what I'd like to avoid is that we restrict PKCS11 compliance to
> the least compliant device.
Agreed. It should be restricted to those devices that meet our needs.
> Though USB tokens are very cheap and common, can be glued to a box and
> does comply with PKCS11, I would not like it to be exemplary.
True, but I think Rick may have been a tad pessimistic about the state
of PKCS #11 modules for USB tokens. On another note though: many token
vendors don't support OSes other than Windows. If you're lucky they
support some Linux distributions and Mac OS X, very few support Solaris
I have a proposal for a different approach: I think it makes sense to
create a simple compliancy tool that tests for the attributes and PKCS
#11 functions that OpenDNSSEC needs. Any module that passes is
supported, any module that doesn't isn't. How does that sound to you?
-- Roland M. van Rijswijk
-- SURFnet Middleware Services
-- t: +31-30-2305388
-- e: roland.vanrijswijk at surfnet.nl
More information about the Opendnssec-develop