[Opendnssec-develop] True Random Number Generator

[Rickard Bondesson]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

> I did use one of those Araneus things once. I seem to remember it  
> being easy to create a file full of random data. Would it be 
> better to  
> have the Araneus appear as an alternative /dev/random device 
> that you  
> point the softHSM at? Or am I completely misunderstanding?

I would implement an interface to the internal RNG that would pull random data from the USB via libusb.
But do you mean that the user should manually pull data from the Araneus and mount this. This source of data would then only last for a limited time, so I think it is better to let the SoftHSM do the pulling.

> One other thing that I thought would be good is if the 
> softHSM can be  
> complete enough to work with an OpenSSL pkcs11 engine (like 
> the OpenSC  
> one). I know we don't want that for OpenDNSSEC but it might 
> be a good  
> feature to have. WDYT?

SoftHSM will be PKCS11 compliant, but will not implement all of the functions. I have not checked if these demand more functionality than we do, but it is sure a good thing to do. However, if we want more functionality like certificate or symmetric key handling then SoftHSM must be redesigned. With, as mentioned in a conversation in December, a loss of performance.

// Rickard
-----BEGIN PGP SIGNATURE-----
Version: 9.8.3 (Build 4028)
Charset: utf-8

wsBVAwUBSWX4RuCjgaNTdVjaAQgksgf9EqY2BgDC7X+WQrCn3+7vGWEXT2F0LjFi
2anlQ30+B8Gdel8vjhEAlGoKbTGXRHGJCGMhaRNsW7HqyCru7c3p8v/FTvzxvfBV
OZDok2VzKIKTeWX+baiRETMiVOxsD5TLyqIvDBs/lZTwIYPc14OCRBl82LCL7Ulo
5rNqSa2NScz+2OqKhvKvnqV7z7/CGCzGM2+vwuwckGCCpilN1+AIcOFXtTUA0brV
Hb6/+Zzanm5OVLvv4C7/09yL/LW2sG1TLzPdXQxPqO3OnRTyvMk0CRWzEI0VYISR
YzkZneVIqfZN6E6b0Kf6+3Be2KipYeapKMbpoG3J3Eb/+smNaeCwaQ==
=MHPB
-----END PGP SIGNATURE-----