Hi! On 10/14/12 5:01 PM, Ondřej Surý wrote: > On 14. 10. 2012, at 13:37, Carlos M. Martinez <carlosm3...@gmail.com> wrote: > >> That could be a really interesting project. I'm not sure how can I >> contribute, but I'd love to see that happen. > Even helping defining requirements (when we start gathering them) would be > tremendous help... Count me in then :-) >> ~Carlos >> >> On 10/14/12 3:10 PM, Ondřej Surý wrote: >>> Just a question - would anyone would be interested in joining a project to >>> build an OpenHardware FPGA-based HSM with focus on DNSSEC? >>> >>> O. >>> >>> On 16. 8. 2012, at 2:24, George Michaelson >>> <g...@apnic.net> >>> wrote: >>> >>> >>>> I got 8 replies. 2 ccTLD, 2 root Ops, almost everyone in s/w development >>>> or operational related roles, and some independent consultants. >>>> >>>> Only one happy user, and I'd qualify that: they'd want a longterm >>>> migration plan off the device. This person is using Solaris. >>>> >>>> Everyone said avoid more than 255 keys on the device. Several said use the >>>> import/export mechanism. >>>> >>>> Two people explicitly mentioned the bad Linux driver. >>>> >>>> The overall tone of the (small sample) responses is: "this is not a good >>>> choice right now" >>>> >>>> >>>> My context is not DNSSEC, its RPKI, which has a far larger keypair >>>> requirement. Noting a suggestion to re-use keypairs, I'd still have to >>>> risk-manage future potential for multiple keys per hosted client, and >>>> exceed the on-card keystore size, so the suggestion to use the >>>> import/export features makes sense. Having said that, documentation on >>>> this is really scant, and its hard to confirm how easily you can manage >>>> this given there is no explicit OpenSSL PKCS11 support for managing PKCS12 >>>> wrapped objects, and you are therefore using a java or shell command to do >>>> the key import, followed by OpenSSL engine, followed by shell/java to >>>> remove the key. >>>> >>>> If you use a pure Java solution its probably more tenable. >>>> >>>> Thank you to everyone for the response. I hope this summary meets a sense >>>> of privacy, and OT posting. >>>> >>>> -G >>>> _______________________________________________ >>>> dns-operations mailing list >>>> >>>> dns-operations@lists.dns-oarc.net >>>> https://lists.dns-oarc.net/mailman/listinfo/dns-operations >>>> >>>> dns-jobs mailing list >>>> >>>> https://lists.dns-oarc.net/mailman/listinfo/dns-jobs >>> -- >>> Ondřej Surý -- Chief Science Officer >>> ------------------------------------------- >>> CZ.NIC, z.s.p.o. -- Laboratoře CZ.NIC >>> Americka 23, 120 00 Praha 2, Czech Republic >>> >>> mailto:ondrej.s...@nic.cz http://nic.cz/ >>> >>> tel:+420.222745110 fax:+420.222745112 >>> ------------------------------------------- >>> >>> >>> >>> >>> _______________________________________________ >>> dns-operations mailing list >>> >>> dns-operations@lists.dns-oarc.net >>> https://lists.dns-oarc.net/mailman/listinfo/dns-operations >>> >>> dns-jobs mailing list >>> >>> https://lists.dns-oarc.net/mailman/listinfo/dns-jobs >> >> -- >> >> -- >> Carlos M. Martinez >> LACNIC R+D >> >> http://www.labs.lacnic.net > -- > Ondřej Surý -- Chief Science Officer > ------------------------------------------- > CZ.NIC, z.s.p.o. -- Laboratoře CZ.NIC > Americka 23, 120 00 Praha 2, Czech Republic > mailto:ondrej.s...@nic.cz http://nic.cz/ > tel:+420.222745110 fax:+420.222745112 > ------------------------------------------- >
-- -- Carlos M. Martinez LACNIC R+D http://www.labs.lacnic.net _______________________________________________ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
