[Opendnssec-develop] Make the keys extractable from HSM?

Rickard Bellgrim rickard.bellgrim at iis.se
Tue Nov 24 09:28:10 CET 2009


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hi

I remember a discussion we had in Utrecht regarding the wrapping functions in PKCS#11. If a key is marked as extractable, you can export the key encrypted and then import it into another HSM. You must first have a shared symmetric key in each HSM.

We currently have the extractable attribute set to false.
http://trac.opendnssec.org/browser/trunk/OpenDNSSEC/libhsm/src/libhsm.c#L1907

We should still have the keys marked as sensitive, so that the key material cannot be revealed in plain text. But my question is whether we should have the key extractable or not?

Just want to discuss this topic, so that we do not lock the user down. Or is it better to protect against a potential threat of leaking keys?

// Rickard

-----BEGIN PGP SIGNATURE-----
Version: 9.8.3 (Build 4028)
Charset: utf-8

wsBVAwUBSwuZGuCjgaNTdVjaAQjbigf/UyfK5CREMaadbbUKapbQD9EaDZUXW/Vi
rcmxxCxSs22T3/pQK2SlXVilJOFrf3moBGsJcgdEnlUYCq4s+91ys0Y86hHOb0dX
hri3mx/vT1ONcJP9P0HwnxjCvgqxDnLTEQPtERg8cxWzD1w2vCmMuc8Lztt2/8HS
5mhv+BPDP+TjBFvH0W8qNVDiwZEq0/3tn37VGAbhSEpYZtMdKCchfwNgwPRUFOoy
PryLzGL4C4AL4hmlhewJsdunpehszZM6cRYkiwwTB6rXuPnhknMO4QPsTcLW6B6Q
HT4DTpV1zUDvcR3UnsdV7T20qN0R25fvQ13XJZOxMSkBdXt2S0p1Kg==
=2j7/
-----END PGP SIGNATURE-----


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.opendnssec.org/pipermail/opendnssec-develop/attachments/20091124/3c61d795/attachment.html>


More information about the Opendnssec-develop mailing list