[Opendnssec-develop] HSM information

Roland van Rijswijk roland.vanrijswijk at surfnet.nl
Fri Feb 20 10:30:39 UTC 2009


I am talking to SafeNet w.r.t. their HSM products as I am trying to
create a shortlist of HSM products because we (SURFnet) will need to buy
one or two HSMs for our DNSSEC setup.

I told them that we are participating in the OpenDNSSEC project. They
had a look at the site and sent me the following request:

"By the way, I checked the web-site - most interesting. I note that you
include the study by Mike Bond that identifies potential vulnerabilities
in a CA3.

I am very uncomfortable with this!!

The CA3 is now EOL and repaced with CA4
The vulnerability identified has been fixed (and was at the time of
The vulnerability relied on all permissions around the HSM being
fulfilled in any case.

How can I request that this is removed or a repudiation document
published along-side"

Can someone please honour their request and correct this information?

I know I shouldn't say this but this is precisely why I think there
shouldn't be HSM vendor specific information on the OpenDNSSEC website.
I've scheduled some time next week to work on a HSM buyer's guide. I'll
keep you guys up-to-date.



-- Roland M. van Rijswijk
-- SURFnet Middleware Services
-- t: +31-30-2305388
-- e: roland.vanrijswijk at surfnet.nl

More information about the Opendnssec-develop mailing list