[Opendnssec-develop] non-automated HSM operations
jakob at kirei.se
Wed May 20 09:55:05 UTC 2009
while doing some design work for a large customer with high-risk
zones, I'm starting to think that we should look into offline HSM
operations (i.e. when the PIN is not known). to do this we need to
address to things:
- the signer will have to altert the security officer (SO) and ask
for the PIN.
- we most likely need a longer KSK signature time so one doesn't
have to alert the SO more than needed (say once a month).
it must be known in due time that the SO will be needed, since he
or she might not be ready to rumble 24/7.
any thoughts regarding this?
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 3646 bytes
Desc: not available
More information about the Opendnssec-develop