[Opendnssec-develop] signature verification
Rickard Bellgrim
rickard.bellgrim at iis.se
Fri Nov 27 19:07:05 UTC 2009
Sorry. I have been visiting SWITCH for two days. Will start Monday
morning to start testing and see if it can be reproduced in Botan.
27 nov 2009 kl. 16.43 skrev "Roland van Rijswijk" <roland.vanrijswijk at surfnet.nl
>:
> Hi Matthijs,
>
> IMHO this is a blocking issue, right? It is not acceptable if the
> signatures output by the signer are invalid because of a bug in either
> softHSM or Botan. I assume that Rickard is checking out what causes
> this? If this cannot be fixed at short notice we should consider a
> 'plan
> B' so the release of OpenDNSSEC does not have to be postponed
> because of
> a bug in either softHSM or Botan.
>
> BTW, is it a reproducable bug -- i.e. will it consistently output a
> wrong signature given the same input data or is the problem
> intermittent? (the latter would be far worse than the former)
>
> Cheers,
>
> Roland
>
> Matthijs Mekking wrote:
>> Hi,
>>
>> We have discovered that the signer with softHSM sometimes can
>> output an
>> invalid signature.
>>
>> In order to prevent this ending up in the signed zonefile, we should
>> audit the signatures. Of course, we have the auditor, but we
>> discourage
>> people to turn it off for large zones.
>>
>> So, I have added a signature check in the signer, right after libhsm
>> returned it. This option adds about 19% latency on signature
>> creation.
>> Thus, we should make this option configurable.
>>
>> I'm not sure where this option should go, build or run time?
>>
>> We could also add a third signature check in the softHSM. Imo, that
>> could facilitate debugging, assuming that the bug is in Botan.
>>
>>
>> Any thoughts?
>>
>>
>> Matthijs
> _______________________________________________
> Opendnssec-develop mailing list
> Opendnssec-develop at lists.opendnssec.org
> https://lists.opendnssec.org/mailman/listinfo/opendnssec-develop
>
> --
> -- Roland M. van Rijswijk
> -- SURFnet Middleware Services
> -- t: +31-30-2305388
> -- e: roland.vanrijswijk at surfnet.nl
> _______________________________________________
> Opendnssec-develop mailing list
> Opendnssec-develop at lists.opendnssec.org
> https://lists.opendnssec.org/mailman/listinfo/opendnssec-develop
More information about the Opendnssec-develop
mailing list