[Opendnssec-develop] hsm-toolkit questions

John Dickinson jad at jadickinson.co.uk
Wed Mar 11 11:57:35 UTC 2009

On 11 Mar 2009, at 11:48, Roy Arends wrote:

> While the hsm-toolkit slowly reaches adolescense, I'd like to  
> discuss some topics on the subject:

Hi Roy,

I have also been thinking about a few of these things because the  
Enforcer needs to do them as well and so I plan to steal code directly  
from yours :)

I have a patch to add dynamic linking of the pkcs11. So that you  
specify -P /usr/local/lib/libpkcs11.so on the command line instead of  
at compile time. I am just cleaning it up and will submit it later  

> 1) The object identifier
> We need to identify an object. This can either be done by the LABEL  
> or by ID. Please give guidance on which to use, and what the values  
> for this identifiers need to be. I remember that 'hash of the key'  
> was mentioned. Please advice which algorithm to use. I also need to  
> know if hsm-toolkit needs to avoid identifier collisions or not.

Enforcer needs this as well. I was going to ask Jakob this very  
question - Jakob, do you know the answer?

> 2) additional functionality
> The software can list, generate and destroy RSA objects from the  
> token. Is there interest in additional functionality, or do we want  
> to keep it to the bare necessities (list/generate/destroy objects)

I expect we want more - I will have a think of ideas.

> 3) configurable defaults
> Currently, all parameters need to be specified on the command line.  
> Some have static defaults. Do we want configurable defaults through  
> a configuration file, or no defaults, or the current status quo?

I like it as it is.

John Dickinson

More information about the Opendnssec-develop mailing list