[Opendnssec-develop] Creating tokens for SoftHSM
roy at nominet.org.uk
Wed Feb 11 23:25:21 UTC 2009
Rick van Rein wrote on 02/11/2009 10:42:30 PM:
> > sure, but it would sure be nice if the softhsm utility could export/
> > import keys directly into the database, yes?
> It sounds like a waste of time to me, as PKCS #11 and relating tools can
> Also it sounds like a way to get things done that oughtn't be doable.
I'm ambivalent about this. I'd leave this one to Rickard. Note that many
HSM providers, though PKCS11 compatible, also allow for proprietary
methods to import keys. My point is that I agree with the notion that this
can be done using PKCS#11, though that the assertion that this is a way to
get things done that should not be doable is false.
> > when you change the config file, you plug/unplug. you cannot do this
> > after the softhsm has initialized itself (i.e. opened the database).
> OK. Removing a token from a slot usually indicates doing so while the
> PKCS #11 library is operational. I suppose what you are saying is that
> the SoftHSM, which runs as a library to implement PKCS #11, cannot
> actually plug/unplug tokens into/from slots.
Jakob is saying, when you want to emulate plug/unplug, change the config
> As said before, this (un)plugging behaviour would only be useful when
> mimicing a USB-token or smart card; an HSM would not have this
> Note that tokens are so low-cost (EUR 50 range) that simulating them is
> not really necessary.
I want to make a general statement, addressed to the group, not
particularly to the discussion at hand.
I want to iterate that the need for a software emulated HSM is to
provision for OpenDNSSEC, since that uses the pkcs11 API. There is no
requirement from our OpenDNSSEC project on softHSM to be fully compatible
with all the functionality that a HSM (be it smartcards, usb sticks,
appliances, PCIe cards or what not) might possibly provide. Furthermore,
we have the resources to test OpenDNSSEC with a plethora of HSM's. This
restricts OpenDNSSEC to only use a minimal set of necessary calls to still
be pkcs11 compliant (i.e. not violate the specification). These calls need
to be implemented in SoftHSM.
More information about the Opendnssec-develop