[Opendnssec-user] Looking for a "cheap" HSM

Rick van Rein (OpenFortress) rick at openfortress.nl
Mon Jun 24 12:48:00 UTC 2013


> Nit: PKCS #11 is not a networked API, but implementations can access remote devices.
> That how usually remotoe HSM are used, right?

Some HSMs are network connected, in which case the PKCS #11 API  will conceal a remote conncetion.
Other HSMs are plug-in cards for a system bus like PCI or USB.

> >  how the user "select the key container". In other words: how i select my certificate and not the one from my neighbourgs ?
> * CKA_ID and/or CKA_LABEL attributes
> * multiple slots / tokens, sometimes called "partitions" of your HSM
> I know PKCS#11 internals, and i know how i can (as developer) select a cert, but still cant see how this is done in a "transparent" browser.
> The browser request GetSlotList (so every slot should be returned) and all certificates are shown?

All those that are visible to the authenticating user and in the slot/token that you setup.

> I dont know if you see my point: how to link "account" with partition?

By configuring its token name in the browser, and/or by access control.  I am not sure if / how browsers will let you specify the token though.


More information about the Opendnssec-user mailing list