[Opendnssec-develop] Future work: Moving the RRset signer inside the HSM?
Jakob Schlyter
jakob at kirei.se
Tue Jun 2 08:46:04 UTC 2009
hi,
at some point we've discussed the problem with key misuse, i.e. that
even if you protect your keys with a HSM you can still sign anything
with any signature exception. one solution to this would be to move
the RRset signer, together with some basic policy regarding what may
be signed and for how long, closer to the HSM. As far as I can see,
this would be possible with the Thales/nCipher SEE architecture - http://dl.getdropbox.com/u/1158919/OpenDNSSEC/see-wp.pdf
. Very interesting!
jakob
More information about the Opendnssec-develop
mailing list