[Opendnssec-user] HSM size

Jakob Schlyter jakob at kirei.se
Sat Dec 22 23:18:13 CET 2012


On 22 dec 2012, at 23:10, Paul Wouters <paul at nohats.ca> wrote:

> On Sat, 22 Dec 2012, Jakob Schlyter wrote:
> 
> However, I haven't heard from HSM vendors if they are not vulnerable to
> the various padding oracle attacks, and the HSMs I've looked at, do not
> support disabling encryption and only allow signing of data. So I'm not
> convinced an HSM even brings you this security.....

The AEP keyper can disable encryption.

>> There are of course other nice properties, such as speed, but IMHO those are secondary.
> 
> For those who want slower speed?

Unless you cluster a bunch of SCA/6000 or SafeNet LUNA SA - that's speed.


	jakob




More information about the Opendnssec-user mailing list