[Opendnssec-develop] non-automated HSM operations

[Jakob Schlyter]

hi,

while doing some design work for a large customer with high-risk  
zones, I'm starting to think that we should look into offline HSM  
operations (i.e. when the PIN is not known). to do this we need to  
address to things:

  - the signer will have to altert the security officer (SO) and ask  
for the PIN.
  - we most likely need a longer KSK signature time so one doesn't  
have to alert the SO more than needed (say once a month).
    it must be known in due time that the SO will be needed, since he  
or she might not be ready to rumble 24/7.


any thoughts regarding this?

	jakob

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3646 bytes
Desc: not available
URL: <http://lists.opendnssec.org/pipermail/opendnssec-develop/attachments/20090520/e7b40200/attachment.bin>