[Opendnssec-develop] HSM review/howto

John Dickinson jad at jadickinson.co.uk
Mon Mar 23 10:10:12 UTC 2009

On 17 Mar 2009, at 09:48, Jakob Schlyter wrote:

> as an inventory, which of the following HSM:s do we have first hand  
> experience of?
> 	• Sun Crypto Accelerator 6000
> 	• AEP Networks Keyper
> 	• nCipher nShield
> 	• nCipher netHSM
> 	• SafeNet Luna SA
> 	• SafeNet Luna PCI
> 	• SafeNet ProtectServer Gold
> 	• SafeNet ProtectServer External
> 	• IBM 4764
> I've work with the SCA6000. others?

Keyper - but I no longer have access to it
nCipher netHSM - a long time ago
Safenet Luna SA - a long time ago

I suspect that they all work - they all provided pkcs11 after all. The  
big problem I found with most of them is the appalling documentation  
and the lack of basic utilities such as a key generator.

So, I think a how-to is a very good idea.

Also the buyers guide should have a section on the basic things that  
you might want to look for when selecting a HSM - such as
- is the documentation readable
- can I ring tech support and speak to someone who knows something
- is there a little demo of simple stuff like how to create a RSA key  
and use all the other features? Or does the documentation assume that  
I am looking for SSL acceleration only?
- can I read the docs without being a crypto expert

IMHO - only once these sort of basic questions have been satisfied  
should the actual crypto and quality of security be considered. If  
they can not write good documentation then how can they write crypto  

In my experience the quality of the docs, demos and utilities varies  
greatly between the manufacturers listed above and makes all the  
difference when using an HSM.


John Dickinson

More information about the Opendnssec-develop mailing list