[Opendnssec-develop] Future work: Moving the RRset signer inside the HSM?

Jakob Schlyter jakob at kirei.se
Tue Jun 2 08:46:04 UTC 2009


at some point we've discussed the problem with key misuse, i.e. that  
even if you protect your keys with a HSM you can still sign anything  
with any signature exception. one solution to this would be to move  
the RRset signer, together with some basic policy regarding what may  
be signed and for how long, closer to the HSM. As far as I can see,  
this would be possible with the Thales/nCipher SEE architecture - http://dl.getdropbox.com/u/1158919/OpenDNSSEC/see-wp.pdf 
. Very interesting!


More information about the Opendnssec-develop mailing list