[Opendnssec-develop] Creating keys
Roy Arends
roy at nominet.org.uk
Tue Dec 2 13:49:23 UTC 2008
Rick van Rein wrote on 12/02/2008 02:26:29 PM:
> Hello,
>
> > I think a USB token could add something in some cases, as it provides
> > better security than a softtoken.
>
> Yes. Think of the need to enter a PIN after reboot. Won't work if
> someone tries to assault your system by booting off a Live CD.
>
> > And there is of course no reason why
> > the USB token could not be connected to the signer machine permanently
> > (in which case it cannot easily be misplaced).
>
> Blade systems often have an internal USB port intended for this purpose.
> This could be useful for rack-stored solutions at low (extra) cost.
I apologize for treating USB tokens as a second rate citizen. They have
dibs on HSM tags as well ;-)
Lets continue to help Rickard getting the softtoken both pkcs11 and
OpenDNSSEC compliant.
Roy
More information about the Opendnssec-develop
mailing list