[Opendnssec-user] SoftHSM requirements: proposed addition
Bud P. Bruegger
bud at ancitel.it
Thu May 27 09:12:11 UTC 2010
I just discovered SoftHSM and really like it. I was looking at the
Requirements for version 2  and would like to propose an additional
In my reasoning, a soft HSM that shares the CPU with other applications
is much more vulnerable than one with a dedicated CPU. Therefore, it
would be nice to be able to run SoftHSM on a dedicated machine whose
only interface exposes PKCS#11 functionality over the network. If the
dedicated machine is locked away reasonably well, it surely lacks the
tamper-evidence/resistance of real HSMs, but with the right procedures
(and a nice locked box), it would probably be a good enough solution
for many uses where a SoftHSM on the same machine is insufficient, and
a real HSM is too costly.
One way of achieving this would be via a simple PKCS#11 proxy that
forwards seralized calls over eithernet to the dedicated host of the
SoftHSM. In the context of GnuTLS, Alon Bar-Lev has proposed just
this but I don't know whether that was implemented (I doubt it).
Another project with very similar objectives to SoftHSM, LSM-PKCS11 
foresees the serialization of PKCS#11 calls over the network. Some doc
and architecture figures can be found here 
Let me know whether this sounds interesting.
More information about the Opendnssec-user