Miek Gieben miek at miek.nl
Mon Oct 8 06:40:52 UTC 2012

[ Quoting <shuoleo at 126.com> in "[Opendnssec-user]..." ]
> Hi all,
> Take key generation for example, the vendors' HSM devices allow create keys
> with
> software API though they are both using PKCS#11, keys in HSM devices must be
> created manually with administrator permission and it is the same case with

Generating keys is defined in pkcs#11, not doing it would mean you are not
supporting pkcs#11.

> And we also found out that HSM device do not support <TokenLabel> which is used
> by
> SoftHSM's slot, only KeyLabel is supported, that means it  designate a specific
> key to do the signing work instead of the keys in a slot. 
> people can do their own programming work with your APIs if they exist in order
> to adapt with HSM devices?

"your APIs" = pkcs#11 and HSM vendors should support that.

> Are there any body ever met the problem as ours?

OpenDNSSEC lists a bunch a HSMs that work with it and AFAICT they all
do pkcs#11.


    Miek Gieben                                                   http://miek.nl
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: Digital signature
URL: <http://lists.opendnssec.org/pipermail/opendnssec-user/attachments/20121008/63cb97b8/attachment.bin>

More information about the Opendnssec-user mailing list