[Opendnssec-develop] hsm-toolkit questions
jad at jadickinson.co.uk
Wed Mar 11 11:57:35 UTC 2009
On 11 Mar 2009, at 11:48, Roy Arends wrote:
> While the hsm-toolkit slowly reaches adolescense, I'd like to
> discuss some topics on the subject:
I have also been thinking about a few of these things because the
Enforcer needs to do them as well and so I plan to steal code directly
from yours :)
I have a patch to add dynamic linking of the pkcs11. So that you
specify -P /usr/local/lib/libpkcs11.so on the command line instead of
at compile time. I am just cleaning it up and will submit it later
> 1) The object identifier
> We need to identify an object. This can either be done by the LABEL
> or by ID. Please give guidance on which to use, and what the values
> for this identifiers need to be. I remember that 'hash of the key'
> was mentioned. Please advice which algorithm to use. I also need to
> know if hsm-toolkit needs to avoid identifier collisions or not.
Enforcer needs this as well. I was going to ask Jakob this very
question - Jakob, do you know the answer?
> 2) additional functionality
> The software can list, generate and destroy RSA objects from the
> token. Is there interest in additional functionality, or do we want
> to keep it to the bare necessities (list/generate/destroy objects)
I expect we want more - I will have a think of ideas.
> 3) configurable defaults
> Currently, all parameters need to be specified on the command line.
> Some have static defaults. Do we want configurable defaults through
> a configuration file, or no defaults, or the current status quo?
I like it as it is.
More information about the Opendnssec-develop