[Opendnssec-user] SoftHSM requirements: proposed addition

[Bud P. Bruegger]

Hello,

I just discovered SoftHSM and really like it.  I was looking at the
Requirements for version 2 [1]  and would like to propose an additional
option:

In my reasoning, a soft HSM that shares the CPU with other applications
is much more vulnerable than one with a dedicated CPU.  Therefore, it
would be nice to be able to run SoftHSM on a dedicated machine whose
only interface exposes PKCS#11 functionality over the network.  If the
dedicated machine is locked away reasonably well, it surely lacks the
tamper-evidence/resistance of real HSMs, but with the right procedures
(and a nice locked box), it would probably be a good enough solution
for many uses where a SoftHSM on the same machine is insufficient, and
a real HSM is too costly.  

One way of achieving this would be via a simple PKCS#11 proxy that
forwards seralized calls over eithernet to the dedicated host of the
SoftHSM.  In the context of GnuTLS, Alon Bar-Lev has proposed just
this[1] but I don't know whether that was implemented (I doubt it).  

Another project with very similar objectives to SoftHSM, LSM-PKCS11 [3]
foresees the serialization of PKCS#11 calls over the network.  Some doc
and architecture figures can be found here [4]

Let me know whether this sounds interesting.

kind regards

-bud

[1] http://trac.opendnssec.org/wiki/SoftHSM/Requirements
[2] http://lists.gnupg.org/pipermail/gnutls-dev/2007-April/001502.html
[3] http://www.clizio.com/lsmpkcs11.html
[4] http://www.clizio.com/download/LSM-PKCS11.pdf