SV: [Opendnssec-develop] SoftHSM

Roland van Rijswijk roland.vanrijswijk at
Wed Dec 10 16:09:09 UTC 2008

Hi Olaf, Rickard,

Olaf Kolkman wrote:
> On Dec 2, 2008, at 2:32 PM, Roland van Rijswijk wrote:
>> Point taken. If you want the soft token module to be as small in
>> footprint as possible and as simple as possible,
> clarification question: are we assuming these are requirements for the
> softtoken in OpenDNSSEC or is this an observation about the needs of
> smartcard builders?

>From my point of view, having as small a footprint as possible and as
little functionality as strictly necessary is not a hard requirement. It
depends on the effect this has on the development time. If it takes too
long to build a more function rich module, then this would be an
argument to keep it _very_ simple. Otherwise I would say: keep it simple
but sensible and if possible extensible.

I cannot judge what impact this has on the overall project, since I
don't know the timelines yet though.

>From my perspective, it is risky to write any PKCS #11 implementation
that imposes restrictions on functionality that cannot be expressed in
capabilities that the module reports to the users. In other words: if
the standard doesn't provide you with a way to tell users that you don't
support certain things you should implement them. And if you really feel
that you cannot implement them then this should be documented very well...

Does that answer your question?




-- Roland M. van Rijswijk
-- SURFnet Middleware Services
-- t: +31-30-2305388
-- e: roland.vanrijswijk at

More information about the Opendnssec-develop mailing list