[Opendnssec-develop] HSM review/howto

Rick van Rein rick at openfortress.nl
Mon Mar 23 11:30:41 UTC 2009


> That is something else I hate - a key is a key it shouldn't matter  
> what you are going to use it for. It should not be necessary for there  
> to be a dnssec-keygen and a ssh-keygen and a genrsa and so on and so  
> on... :)

I agree with you, but only on an abstract level.

But now you're not having an issue with any HSM, but with PKCS #11.
Or even more accurately, with the requirements that applications tend
to place on them.

Since it is unwise to use the same key for multiple applications, I don't
think it is such a bad idea that apps set their own attributes and
requirements on keys.  Key management rules are also different, depending
on the application (its usage requirements and its ability to communicate
new keys with peers) so generating keys is, in my humble view, perfectly
located inside an application.


More information about the Opendnssec-develop mailing list