[Opendnssec-develop] compact HSM needed...

[Rick van Rein]

Hello Jakob,

> I'm looking for a smartcard with integrated USB-reader (aka "token")  
> that is:
> 
> a) with a CCID-class reader (so I can use it om my mac)
> b) with a chip that is supported by OpenSC

Trying to break the token market open... I've wished for that for years,
but found the token market to be rather nasty in that respect.  Some
vendors flatly refuse to abolish their proprietary USB-cardreader
protocol in favour of the CCID standard profile for them.  And OpenSC
has never actually worked for me.  You may have a bit more luck if you
allow for OpenSC + OpenCT to work.  OpenCT is an open source card
terminal that comes as part of OpenSC.  You should be able to find
advice on those on opensc.org.

Since OpenDNSSEC works on top of PKCS #11 I suppose testing its code
could be done on top of any compliant library, including closed ones
from various vendors.  I'm not sure if that is what you are after
though.  Since these libraries are usually of low quality, don't be
surprised if problems in the implementations occur, such as functions
that simply haven't been implemented.  In my experience however, the
developers are quite eager to get new applications on board, so they
will work with app developers to get it to work.

> the Aladdin eToken seemed to fit my reqs, but the reader isn't  
> supported.

I have heard lots of complaints that Aladdin is far from pleasant to
deal with, in the sense that they are far from open.

> the purpose of this exercise is to be able to show a very small HSM so  
> I can demo OpenDNSSEC at the IETF.

Wunderbar!  I suppose OpenSC + CCID/OpenCT is a personal preference then.
It does not seem necessary for this goal; any working closed
implementation of PKCS #11 would do.

As explained before, I find the idea appealing to use tokens as a low-end
HSM for OpenDNSSEC, to cover limited numbers of domains.

Hope this helps,

Cheers,
 -Rick