[Opendnssec-develop] Creating keys

Roy Arends roy at nominet.org.uk
Tue Dec 2 13:56:29 UTC 2008 

Roland van Rijswijk <roland.vanrijswijk at surfnet.nl> wrote on 12/02/2008 
02:45:43 PM:

> Hi Roy,
> 
> > A view observations:
> > 
> > I want OpenDNSSEC to be PKCS11 compliant. 
> > It seems that we must have a discussion on what compliancy actually 
> > entails. One extreme is full v2.20 with all the tidbits, bells and 
> > whistles, and the other extreme is solely the very few functions, 
methods 
> > and attributes of the pkcs11 library that we need for OpenDNSSEC. 
> 
> Having written quite a few applications that used a PKCS #11 module
> (both for HSMs as well as for simpler devices liken USB tokens), I can
> tell you you probably won't be needing the bells and whistles. 

I agree.

> As I
> stated in another mail on the list, most attributes you think we need
> are such basic attributes that a device cannot be called PKCS #11
> compliant if it doesn't support them.

I agree.

> So I'd like to look at it from another viewpoint: in my opinion, any
> PKCS #11 compliant module that supports the attributes we need should
> work with OpenDNSSEC.
>
> > However, what I'd like to avoid is that we restrict PKCS11 compliance 
to 
> > the least compliant device. 
> 
> Agreed. It should be restricted to those devices that meet our needs.
> 
> > Though USB tokens are very cheap and common, can be glued to a box and 

> > does comply with PKCS11, I would not like it to be exemplary. 
> 
> True, but I think Rick may have been a tad pessimistic about the state
> of PKCS #11 modules for USB tokens. On another note though: many token
> vendors don't support OSes other than Windows. If you're lucky they
> support some Linux distributions and Mac OS X, very few support Solaris
> or BSD.

ok.

> I have a proposal for a different approach: I think it makes sense to
> create a simple compliancy tool that tests for the attributes and PKCS
> #11 functions that OpenDNSSEC needs. Any module that passes is
> supported, any module that doesn't isn't. How does that sound to you?

Sounds good. This will not be core-OpenDNSSEC, but would be a contrib tool 
so to speak. Anyone on the list care to write such a thingy? 

(if not, I could write it and add it to the hsm-tools set at 
http://download.nominet.org.uk/hsm-tools/hsm-tools.tar.gz )

Roy Arends
Sr. Researcher
Nominet UK

More information about the Opendnssec-develop mailing list