[Opendnssec-user] Looking for a "cheap" HSM
Rick van Rein (OpenFortress)
rick at openfortress.nl
Mon Jun 24 14:48:00 CEST 2013
> Nit: PKCS #11 is not a networked API, but implementations can access remote devices.
> That how usually remotoe HSM are used, right?
Some HSMs are network connected, in which case the PKCS #11 API will conceal a remote conncetion.
Other HSMs are plug-in cards for a system bus like PCI or USB.
> > how the user "select the key container". In other words: how i select my certificate and not the one from my neighbourgs ?
> * CKA_ID and/or CKA_LABEL attributes
> * multiple slots / tokens, sometimes called "partitions" of your HSM
> I know PKCS#11 internals, and i know how i can (as developer) select a cert, but still cant see how this is done in a "transparent" browser.
> The browser request GetSlotList (so every slot should be returned) and all certificates are shown?
All those that are visible to the authenticating user and in the slot/token that you setup.
> I dont know if you see my point: how to link "account" with partition?
By configuring its token name in the browser, and/or by access control. I am not sure if / how browsers will let you specify the token though.
More information about the Opendnssec-user