On 2012.10.15. 19:09, Miek Gieben wrote: > [ Quoting <g...@switch.ch> in "Re: [dns-operations] OpenHardware F..." > ] >> On Mon, 15 Oct 2012 09:13:45 -0700, Paul Hoffman >> <paul.hoff...@vpnc.org> said: >> >>> On Oct 15, 2012, at 7:39 AM, Alexander Gall <g...@switch.ch> >>> wrote: >>>> A hardware HSM allows you to detect when your keys get stolen >>>> (provided the hardware does not implement extraction of the keys, >>>> of course). In our case, this is the *only* reason we use a HSM >>>> at all. >> >>> A properly-designed software-based HSM in a tamper-evident box >>> would have the same property. >> >> Of course. I'm not sure if that was what Miek implied in his >> question, though. If it was, my point is obviously moot. > > Well, I'm not sure :) I was thinking that making your own hardware > might be a step to far and was interested in the reasons for doing so. > Hence my question. > > Making a tamper-evident box with SoftHSM is (I think) much easier to > do, more scalable and done quicker.
Right. I think that one question has not been asked so far: why? What's the real benefit that you'd get out of this? Also consider (and try to estimate the cost of) the effort you'd need to put in to make this "right", whatever that means. Robert _______________________________________________ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
