[Opendnssec-user] Looking for a "cheap" HSM
helpcrypto at gmail.com
Mon Jun 24 16:36:17 CEST 2013
On Mon, Jun 24, 2013 at 2:48 PM, Rick van Rein <rick at openfortress.nl> wrote:
> > Nit: PKCS #11 is not a networked API, but implementations can access
> remote devices.
> > That how usually remotoe HSM are used, right?
> Some HSMs are network connected, in which case the PKCS #11 API will
> conceal a remote conncetion.
> Other HSMs are plug-in cards for a system bus like PCI or USB.
I'm concerned about network ones.
> > how the user "select the key container". In other words: how i select
> my certificate and not the one from my neighbourgs ?
> > * CKA_ID and/or CKA_LABEL attributes
> > * multiple slots / tokens, sometimes called "partitions" of your HSM
> > I know PKCS#11 internals, and i know how i can (as developer) select a
> cert, but still cant see how this is done in a "transparent" browser.
> > The browser request GetSlotList (so every slot should be returned) and
> all certificates are shown?
> All those that are visible to the authenticating user and in the
> slot/token that you setup.
> > I dont know if you see my point: how to link "account" with partition?
> By configuring its token name in the browser, and/or by access control. I
> am not sure if / how browsers will let you specify the token though.
I still dont get it. I could register a PKCS#11 module on my firefox to
communicate with an HSM.
But that doesnt involve, in any way, linking "john.doe at example.com"
authenticated user with a certificate stored on HSM.
I must be missing something, like a browser addon, special library
initialization (not covered by pkcs#11 standard) or something-else, that
will tell HSM to get the correct certificate/partition.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Opendnssec-user