[Opendnssec-develop] HSM review/howto
John Dickinson
jad at jadickinson.co.uk
Mon Mar 23 10:10:12 UTC 2009
On 17 Mar 2009, at 09:48, Jakob Schlyter wrote:
> as an inventory, which of the following HSM:s do we have first hand
> experience of?
>
> • Sun Crypto Accelerator 6000
> • AEP Networks Keyper
> • nCipher nShield
> • nCipher netHSM
> • SafeNet Luna SA
> • SafeNet Luna PCI
> • SafeNet ProtectServer Gold
> • SafeNet ProtectServer External
> • IBM 4764
>
> I've work with the SCA6000. others?
SCA6000
Keyper - but I no longer have access to it
nCipher netHSM - a long time ago
Safenet Luna SA - a long time ago
I suspect that they all work - they all provided pkcs11 after all. The
big problem I found with most of them is the appalling documentation
and the lack of basic utilities such as a key generator.
So, I think a how-to is a very good idea.
Also the buyers guide should have a section on the basic things that
you might want to look for when selecting a HSM - such as
- is the documentation readable
- can I ring tech support and speak to someone who knows something
- is there a little demo of simple stuff like how to create a RSA key
and use all the other features? Or does the documentation assume that
I am looking for SSL acceleration only?
- can I read the docs without being a crypto expert
etc...
IMHO - only once these sort of basic questions have been satisfied
should the actual crypto and quality of security be considered. If
they can not write good documentation then how can they write crypto
code?
In my experience the quality of the docs, demos and utilities varies
greatly between the manufacturers listed above and makes all the
difference when using an HSM.
John
---
John Dickinson
http://www.jadickinson.co.uk
More information about the Opendnssec-develop
mailing list