[Opendnssec-user]
Miek Gieben
miek at miek.nl
Mon Oct 8 06:40:52 UTC 2012
[ Quoting <shuoleo at 126.com> in "[Opendnssec-user]..." ]
> Hi all,
>
> Take key generation for example, the vendors' HSM devices allow create keys
> with
> software API though they are both using PKCS#11, keys in HSM devices must be
> created manually with administrator permission and it is the same case with
Generating keys is defined in pkcs#11, not doing it would mean you are not
supporting pkcs#11.
> And we also found out that HSM device do not support <TokenLabel> which is used
> by
> SoftHSM's slot, only KeyLabel is supported, that means it designate a specific
> key to do the signing work instead of the keys in a slot.
>
> people can do their own programming work with your APIs if they exist in order
> to adapt with HSM devices?
"your APIs" = pkcs#11 and HSM vendors should support that.
> Are there any body ever met the problem as ours?
OpenDNSSEC lists a bunch a HSMs that work with it and AFAICT they all
do pkcs#11.
Regards,
--
Miek Gieben http://miek.nl
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: Digital signature
URL: <http://lists.opendnssec.org/pipermail/opendnssec-user/attachments/20121008/63cb97b8/attachment.bin>
More information about the Opendnssec-user
mailing list