[Opendnssec-user]

刘硕 shuoleo at 126.com
Tue Oct 9 03:29:26 UTC 2012


>Generating keys is defined in pkcs#11, not doing it would mean you are not
>supporting pkcs#11.

They said they supported pkcs#11, but they do some extra things to avoid creating
keys using the API directly, it's for security purpose they said.

>"your APIs" = pkcs#11 and HSM vendors should support that.

So the vendor does some tricks to the using of pkcs#11? For security purpose,Do the
vendors's HSMs you have tested had some special limitations for key generation?

>OpenDNSSEC lists a bunch a HSMs that work with it and AFAICT they all
>do pkcs#11.

I think the vendor we have been talking to in our country abides the rules of some
authorities, and we are afraid that foreign products may not pass the authentication
of the security authority here.


Best regards,
Stuart

From: Miek Gieben
Date: 2012-10-08 14:40
To: 刘硕
CC: opendnssec-user
Subject: Re: [Opendnssec-user]
[ Quoting <shuoleo at 126.com> in "[Opendnssec-user]..." ]
> Hi all,
>  
> Take key generation for example, the vendors' HSM devices allow create keys
> with
> software API though they are both using PKCS#11, keys in HSM devices must be
> created manually with administrator permission and it is the same case with

Generating keys is defined in pkcs#11, not doing it would mean you are not
supporting pkcs#11.

> And we also found out that HSM device do not support <TokenLabel> which is used
> by
> SoftHSM's slot, only KeyLabel is supported, that means it  designate a specific
> key to do the signing work instead of the keys in a slot. 
>  
> people can do their own programming work with your APIs if they exist in order
> to adapt with HSM devices?

"your APIs" = pkcs#11 and HSM vendors should support that.

> Are there any body ever met the problem as ours?

OpenDNSSEC lists a bunch a HSMs that work with it and AFAICT they all
do pkcs#11.

 Regards,

-- 
    Miek Gieben                                                   http://miek.nl
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opendnssec.org/pipermail/opendnssec-user/attachments/20121009/b5dd842a/attachment.htm>


More information about the Opendnssec-user mailing list