[Opendnssec-develop] Creating keys
roy at nominet.org.uk
Tue Dec 2 13:56:29 UTC 2008
Roland van Rijswijk <roland.vanrijswijk at surfnet.nl> wrote on 12/02/2008
> Hi Roy,
> > A view observations:
> > I want OpenDNSSEC to be PKCS11 compliant.
> > It seems that we must have a discussion on what compliancy actually
> > entails. One extreme is full v2.20 with all the tidbits, bells and
> > whistles, and the other extreme is solely the very few functions,
> > and attributes of the pkcs11 library that we need for OpenDNSSEC.
> Having written quite a few applications that used a PKCS #11 module
> (both for HSMs as well as for simpler devices liken USB tokens), I can
> tell you you probably won't be needing the bells and whistles.
> As I
> stated in another mail on the list, most attributes you think we need
> are such basic attributes that a device cannot be called PKCS #11
> compliant if it doesn't support them.
> So I'd like to look at it from another viewpoint: in my opinion, any
> PKCS #11 compliant module that supports the attributes we need should
> work with OpenDNSSEC.
> > However, what I'd like to avoid is that we restrict PKCS11 compliance
> > the least compliant device.
> Agreed. It should be restricted to those devices that meet our needs.
> > Though USB tokens are very cheap and common, can be glued to a box and
> > does comply with PKCS11, I would not like it to be exemplary.
> True, but I think Rick may have been a tad pessimistic about the state
> of PKCS #11 modules for USB tokens. On another note though: many token
> vendors don't support OSes other than Windows. If you're lucky they
> support some Linux distributions and Mac OS X, very few support Solaris
> or BSD.
> I have a proposal for a different approach: I think it makes sense to
> create a simple compliancy tool that tests for the attributes and PKCS
> #11 functions that OpenDNSSEC needs. Any module that passes is
> supported, any module that doesn't isn't. How does that sound to you?
Sounds good. This will not be core-OpenDNSSEC, but would be a contrib tool
so to speak. Anyone on the list care to write such a thingy?
(if not, I could write it and add it to the hsm-tools set at
More information about the Opendnssec-develop