[Opendnssec-develop] Updated requirements for SoftHSM v2

Roland van Rijswijk roland.vanrijswijk at surfnet.nl
Thu Nov 26 11:54:34 UTC 2009

Hi Jakob,

Jakob Schlyter wrote:
> some questions and comments:
> #4, can we require 4096-bits as well? or make 4096 a should.

I think we can add 4096-bits as a should. Realistically, the key size is
probably not going to be limited by the SoftHSM implementation, and we
specifically did not want to specify an upper limit which is why we
chose the wording "2048-bits or more"

> #8, why is it a "MUST NOT" to export in BIND format? if
> softhsm-keyconv is not available as a separate program, we need
> something to convert to/from PKCS#8 and BIND format.

The rationale behind this requirements is the following: we would like
to use one tool in stead of two. Also, the tool will be based on PKCS
#11 operations so it can also work with 'real' HSMs and not just
SoftHSM. That one tool must support import of keys in BIND format, but
we reasoned that it should not support key export in BIND format for two

- Exporting keys in BIND format would lower the security level because
the keys would then be exported in the clear; this becomes especially
relevant if you use the tool with a real HSM

- We support import of BIND formatted keys; if someone would like to
switch from OpenDNSSEC to BIND, we argued that in that case BIND should
support import of OpenDNSSEC (= PKCS #8) formatted keys.

> do we have any relative performance requirements? like scale linear
> with multiple keys.

No not yet, but suggestions like this one are welcome.

Thanks for your feedback!



-- Roland M. van Rijswijk
-- SURFnet Middleware Services
-- t: +31-30-2305388
-- e: roland.vanrijswijk at surfnet.nl

More information about the Opendnssec-develop mailing list