[Opendnssec-user] SoftHSM requirements: proposed addition
Bud P. Bruegger
bud at ancitel.it
Thu May 27 09:12:11 UTC 2010
Hello,
I just discovered SoftHSM and really like it. I was looking at the
Requirements for version 2 [1] and would like to propose an additional
option:
In my reasoning, a soft HSM that shares the CPU with other applications
is much more vulnerable than one with a dedicated CPU. Therefore, it
would be nice to be able to run SoftHSM on a dedicated machine whose
only interface exposes PKCS#11 functionality over the network. If the
dedicated machine is locked away reasonably well, it surely lacks the
tamper-evidence/resistance of real HSMs, but with the right procedures
(and a nice locked box), it would probably be a good enough solution
for many uses where a SoftHSM on the same machine is insufficient, and
a real HSM is too costly.
One way of achieving this would be via a simple PKCS#11 proxy that
forwards seralized calls over eithernet to the dedicated host of the
SoftHSM. In the context of GnuTLS, Alon Bar-Lev has proposed just
this[1] but I don't know whether that was implemented (I doubt it).
Another project with very similar objectives to SoftHSM, LSM-PKCS11 [3]
foresees the serialization of PKCS#11 calls over the network. Some doc
and architecture figures can be found here [4]
Let me know whether this sounds interesting.
kind regards
-bud
[1] http://trac.opendnssec.org/wiki/SoftHSM/Requirements
[2] http://lists.gnupg.org/pipermail/gnutls-dev/2007-April/001502.html
[3] http://www.clizio.com/lsmpkcs11.html
[4] http://www.clizio.com/download/LSM-PKCS11.pdf
More information about the Opendnssec-user
mailing list