[Opendnssec-develop] hsm-toolkit questions
jakob at kirei.se
Wed Mar 11 12:34:17 UTC 2009
On 11 mar 2009, at 12.48, Roy Arends wrote:
> 1) The object identifier
> We need to identify an object. This can either be done by the LABEL
> or by ID. Please give guidance on which to use, and what the values
> for this identifiers need to be. I remember that 'hash of the key'
> was mentioned. Please advice which algorithm to use. I also need to
> know if hsm-toolkit needs to avoid identifier collisions or not.
I believe we decided that the LABEL should be used and that the
generator of the key assigns the label. IIRC, we said that the KASP
enforcer would typically generate the key and then update the label to
be the hash (SHA-1) of the public key.
All others will refers to key by the label and find them by querying
all configured HSM for all keys.
I'll put it on my todo-list to write a short note about this on the
More information about the Opendnssec-develop