>This is very surprising to me, as we have proven interoperability with quite a
>few HSMs; see https://wiki.opendnssec.org/display/DOCREF/HSM for a full list
Yes, I have seen that page.
>What venders have you been talking to?
We have been talking to a vendor in China.
I think the vendor we have been talking to in our country abides the rules of
some
authorities, and we are afraid that foreign products may not pass the
authentication
of the security authority here. So what you have tested may not be suitable for
us...
OMG!
Best regards,
Stuart
From: Jakob Schlyter
Date: 2012-10-08 14:55
To: shuoleo
CC: opendnssec-user; Patrik Wallstr鰉
Subject: Re: [Opendnssec-user]
On 8 okt 2012, at 08:30, 刘硕 <shuo...@126.com> wrote:
> We have been testing DNSSEC with OpenDNSSEC+SoftHSM, it has been working well.
> But recently we decided to buy a HSM to replace SoftHSM to do signing work and
> keys storage. After consulting with some of the HSM vendors here, we found out
> that almost no devices can cooperate with OpenDNSSEC.
This is very surprising to me, as we have proven interoperability with quite a
few HSMs; see https://wiki.opendnssec.org/display/DOCREF/HSM for a full list
What venders have you been talking to?
> Take key generation for example, the vendors' HSM devices allow create keys
> with
> software API though they are both using PKCS#11, keys in HSM devices must be
> created manually with administrator permission and it is the same case with
> removing
> keys.
Yes, there exists HSMs (e.g., AEP) that can limit key generation and
destruction and OpenDNSSEC can be set up to work with those. However, all keys
must be created via PKCS#11.
jakob
--
Jakob Schlyter
Kirei AB - http://www.kirei.se/
_______________________________________________
Opendnssec-user mailing list
Opendnssec-user@lists.opendnssec.org
https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
