[Opendnssec-develop] Make the keys extractable from HSM?
Rickard Bellgrim
rickard.bellgrim at iis.se
Tue Nov 24 08:54:22 UTC 2009
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
> By default, no. Default should be to have it not exportable. Flipping
> the 'exportable bit' must also be a one way function. You can switch
> from exportable to not exportable, but not from not-exportable to
> exportable.
Yeah. This is something that can only be done when you are creating the key (setting the key to extractable).
> In general, keys only need to be exportable when an HSM roll is due. By
> that time, a key can be generated that is exportable.
>
> > Just want to discuss this topic, so that we do not lock the user
> > down. Or is it better to protect against a potential threat of
> leaking keys?
>
> IMHO it is not a mutual exclusive choice. We need to protect against a
> potential threat of leaking keys all the time, but only enable the user
> to export the key as an explicit conscious choice.
Ok, sounds like a feature for version 2.0. The HSMs are probably not going to be rolled in this time frame.
// Rickard
-----BEGIN PGP SIGNATURE-----
Version: 9.8.3 (Build 4028)
Charset: utf-8
wsBUAwUBSwufPuCjgaNTdVjaAQieawf4iOwJ8vkb4ieLjt6weF4wVKe0eJgkVpZO
G7v5bC3hDBSTNrGl7IoTK/j3sF7Y3YkRFqco0YONWAxeP2k76qDuN4PaWv6s9AJB
2d8vNH2qXs8W6cdJX4xOvVREbUxLF2rTxPCMh7CUhYxpfsO/YaXDZqseJs8VyuLM
P+JHZa7GnfST2h0cNm7BkwT1T8QMGufoiKvZ73H+jYKoLOaDs755IV6A11Mduq1Y
2Uan6cw6Awba4bx4aU9FMsl2kUrIT4w+TKmD4vQVgvKFCPZOojGlQyMH3fZB4AmA
5ZMCt6XansaivN27CAOjCtdfFY2VfjsSydQl3o7wOmkpCJR6TlnS
=48AN
-----END PGP SIGNATURE-----
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opendnssec.org/pipermail/opendnssec-develop/attachments/20091124/b6eebbe9/attachment.htm>
More information about the Opendnssec-develop
mailing list