[Opendnssec-user]

[刘硕]

>This is very surprising to me, as we have proven interoperability with quite a few HSMs; see https://wiki.opendnssec.org/display/DOCREF/HSM for a full list

Yes, I have seen that page.

>What venders have you been talking to?

We have been talking to a vendor in China.
I think the vendor we have been talking to in our country abides the rules of some
authorities, and we are afraid that foreign products may not pass the authentication
of the security authority here. So what you have tested may not be suitable for us...
OMG!

Best regards,
Stuart

From: Jakob Schlyter
Date: 2012-10-08 14:55
To: shuoleo
CC: opendnssec-user; Patrik Wallstr鰉
Subject: Re: [Opendnssec-user]
On 8 okt 2012, at 08:30, 刘硕 <shuoleo at 126.com> wrote:

> We have been testing DNSSEC with OpenDNSSEC+SoftHSM, it has been working well.
> But recently we decided to buy a HSM to replace SoftHSM to do signing work and
> keys storage. After consulting with some of the HSM vendors here, we found out
> that almost no devices can cooperate with OpenDNSSEC.

This is very surprising to me, as we have proven interoperability with quite a few HSMs; see https://wiki.opendnssec.org/display/DOCREF/HSM for a full list

What venders have you been talking to?

> Take key generation for example, the vendors' HSM devices allow create keys with
> software API though they are both using PKCS#11, keys in HSM devices must be
> created manually with administrator permission and it is the same case with removing
> keys.

Yes, there exists HSMs (e.g., AEP) that can limit key generation and destruction and OpenDNSSEC can be set up to work with those. However, all keys must be created via PKCS#11.


jakob

-- 
Jakob Schlyter
Kirei AB - http://www.kirei.se/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opendnssec.org/pipermail/opendnssec-user/attachments/20121009/c14e2ce7/attachment.htm>