[Opendnssec-user] Looking for a "cheap" HSM

helpcrypto helpcrypto helpcrypto at gmail.com
Mon Jun 24 14:36:17 UTC 2013

On Mon, Jun 24, 2013 at 2:48 PM, Rick van Rein <rick at openfortress.nl> wrote:

> Hi,
> > Nit: PKCS #11 is not a networked API, but implementations can access
> remote devices.
> >
> > That how usually remotoe HSM are used, right?
> Some HSMs are network connected, in which case the PKCS #11 API  will
> conceal a remote conncetion.
> Other HSMs are plug-in cards for a system bus like PCI or USB.

I'm concerned about network ones.

 > >  how the user "select the key container". In other words: how i select
> my certificate and not the one from my neighbourgs ?
> >
> > * CKA_ID and/or CKA_LABEL attributes
> > * multiple slots / tokens, sometimes called "partitions" of your HSM
> >
> > I know PKCS#11 internals, and i know how i can (as developer) select a
> cert, but still cant see how this is done in a "transparent" browser.
> > The browser request GetSlotList (so every slot should be returned) and
> all certificates are shown?
> All those that are visible to the authenticating user and in the
> slot/token that you setup.
> > I dont know if you see my point: how to link "account" with partition?
> By configuring its token name in the browser, and/or by access control.  I
> am not sure if / how browsers will let you specify the token though.

I still dont get it. I could register a PKCS#11 module on my firefox to
communicate with an HSM.
But that doesnt involve, in any way, linking "john.doe at example.com"
authenticated user with a certificate stored on HSM.
I must be missing something, like a browser addon, special library
initialization (not covered by pkcs#11 standard) or something-else, that
will tell HSM to get the correct certificate/partition.

> -Rick
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opendnssec.org/pipermail/opendnssec-user/attachments/20130624/cf83762a/attachment.htm>

More information about the Opendnssec-user mailing list