[Opendnssec-develop] Make the keys extractable from HSM?
rickard.bellgrim at iis.se
Tue Nov 24 09:28:10 CET 2009
-----BEGIN PGP SIGNED MESSAGE-----
I remember a discussion we had in Utrecht regarding the wrapping functions in PKCS#11. If a key is marked as extractable, you can export the key encrypted and then import it into another HSM. You must first have a shared symmetric key in each HSM.
We currently have the extractable attribute set to false.
We should still have the keys marked as sensitive, so that the key material cannot be revealed in plain text. But my question is whether we should have the key extractable or not?
Just want to discuss this topic, so that we do not lock the user down. Or is it better to protect against a potential threat of leaking keys?
-----BEGIN PGP SIGNATURE-----
Version: 9.8.3 (Build 4028)
-----END PGP SIGNATURE-----
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Opendnssec-develop