[Opendnssec-develop] hsm-toolkit questions

Roy Arends roy at nominet.org.uk
Wed Mar 11 12:07:50 UTC 2009 

John Dickinson <jadsab at googlemail.com> wrote on 03/11/2009 12:57:35 PM:

> On 11 Mar 2009, at 11:48, Roy Arends wrote:
> 
> > While the hsm-toolkit slowly reaches adolescense, I'd like to 
> > discuss some topics on the subject:
> 
> Hi Roy,
> 
> I have also been thinking about a few of these things because the 
> Enforcer needs to do them as well and so I plan to steal code directly 
> from yours :)

Steal right ahead :-)

> I have a patch to add dynamic linking of the pkcs11. So that you 
> specify -P /usr/local/lib/libpkcs11.so on the command line instead of 
> at compile time. I am just cleaning it up and will submit it later 
> today.

I have already added the functionality, using your patch. Thanks. Works 
:-).

> > 1) The object identifier
> >
> > We need to identify an object. This can either be done by the LABEL 
> > or by ID. Please give guidance on which to use, and what the values 
> > for this identifiers need to be. I remember that 'hash of the key' 
> > was mentioned. Please advice which algorithm to use. I also need to 
> > know if hsm-toolkit needs to avoid identifier collisions or not.
> 
> Enforcer needs this as well. I was going to ask Jakob this very 
> question - Jakob, do you know the answer?
> 
> >
> > 2) additional functionality
> >
> > The software can list, generate and destroy RSA objects from the 
> > token. Is there interest in additional functionality, or do we want 
> > to keep it to the bare necessities (list/generate/destroy objects)
> 
> I expect we want more - I will have a think of ideas.
> 
> >
> > 3) configurable defaults
> >
> > Currently, all parameters need to be specified on the command line. 
> > Some have static defaults. Do we want configurable defaults through 
> > a configuration file, or no defaults, or the current status quo?
> 
> I like it as it is.


Cool. thanks for the help!

Regards,

Roy Arends
Sr. Researcher
Nominet UK
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opendnssec.org/pipermail/opendnssec-develop/attachments/20090311/431147a4/attachment.htm>

More information about the Opendnssec-develop mailing list