[Opendnssec-develop] Make the keys extractable from HSM?
roy at nominet.org.uk
roy at nominet.org.uk
Wed Dec 2 13:33:47 UTC 2009
Rick van Rein wrote on 12/02/2009 01:27:30 PM:
> Hey Rickard,
>
> You brought up a good point:
>
> > If a key is marked as extractable, you can export the key
> encrypted and then import it into another HSM.
> >
> > We currently have the extractable attribute set to false.
> >
> > We should still have the keys marked as sensitive, so that the key
> material cannot be revealed in plain text. But my question is
> whether we should have the key extractable or not?
>
> I agree that this makes sense. Even though HSM manufacturers may go
under
> the PKCS #11 level to duplicate private keys, it is still good to support
> standards-compliant HSMs as well.
>
> Can you point me at the definition of "extractable"? I cannot seem to
> find it in the spec.
grep for CKA_EXTRACTABLE in the spec.
> If we do this, we should add CKA_ALWAYS_SENSITIVE to avoid that the newly
> imported key can ever get CKA_SENSITIVE reset.
CKA_ALWAYS_SENSITIVE is not a safeguard (for future settings of
CKA_SENSITIVE), but a signal (for past settings of CKA_SENSITIVE). If
CKA_ALWAYS_SENSITIVE is set, you know that the CKA_SENSITIVE has never been
false. I think you meant to say the same, apologies if you do.
Roy
More information about the Opendnssec-develop
mailing list