[Opendnssec-develop] hsm-toolkit questions

Jakob Schlyter jakob at kirei.se
Wed Mar 11 12:34:17 UTC 2009

On 11 mar 2009, at 12.48, Roy Arends wrote:

> 1) The object identifier
> We need to identify an object. This can either be done by the LABEL  
> or by ID. Please give guidance on which to use, and what the values  
> for this identifiers need to be. I remember that 'hash of the key'  
> was mentioned. Please advice which algorithm to use. I also need to  
> know if hsm-toolkit needs to avoid identifier collisions or not.

I believe we decided that the LABEL should be used and that the  
generator of the key assigns the label. IIRC, we said that the KASP  
enforcer would typically generate the key and then update the label to  
be the hash (SHA-1) of the public key.

All others will refers to key by the label and find them by querying  
all configured HSM for all keys.

I'll put it on my todo-list to write a short note about this on the  


More information about the Opendnssec-develop mailing list