[Opendnssec-develop] Creating keys

Roy Arends roy at nominet.org.uk
Tue Dec 2 14:49:23 CET 2008


Rick van Rein wrote on 12/02/2008 02:26:29 PM:

> Hello,
> 
> > I think a USB token could add something in some cases, as it provides
> > better security than a softtoken.
> 
> Yes.  Think of the need to enter a PIN after reboot.  Won't work if
> someone tries to assault your system by booting off a Live CD.
> 
> > And there is of course no reason why
> > the USB token could not be connected to the signer machine permanently
> > (in which case it cannot easily be misplaced).
> 
> Blade systems often have an internal USB port intended for this purpose.
> This could be useful for rack-stored solutions at low (extra) cost.

I apologize for treating USB tokens as a second rate citizen. They have 
dibs on HSM tags as well ;-) 

Lets continue to help Rickard getting the softtoken both pkcs11 and 
OpenDNSSEC compliant.

Roy



More information about the Opendnssec-develop mailing list