>Generating keys is defined in pkcs#11, not doing it would mean you are not
>supporting pkcs#11.
They said they supported pkcs#11, but they do some extra things to avoid
creating
keys using the API directly, it's for security purpose they said.
>"your APIs" = pkcs#11 and HSM vendors should support that.
So the vendor does some tricks to the using of pkcs#11? For security purpose,Do
the
vendors's HSMs you have tested had some special limitations for key generation?
>OpenDNSSEC lists a bunch a HSMs that work with it and AFAICT they all
>do pkcs#11.
I think the vendor we have been talking to in our country abides the rules of
some
authorities, and we are afraid that foreign products may not pass the
authentication
of the security authority here.
Best regards,
Stuart
From: Miek Gieben
Date: 2012-10-08 14:40
To: 刘硕
CC: opendnssec-user
Subject: Re: [Opendnssec-user]
[ Quoting <[email protected]> in "[Opendnssec-user]..." ]
> Hi all,
>
> Take key generation for example, the vendors' HSM devices allow create keys
> with
> software API though they are both using PKCS#11, keys in HSM devices must be
> created manually with administrator permission and it is the same case with
Generating keys is defined in pkcs#11, not doing it would mean you are not
supporting pkcs#11.
> And we also found out that HSM device do not support <TokenLabel> which is
> used
> by
> SoftHSM's slot, only KeyLabel is supported, that means it designate a
> specific
> key to do the signing work instead of the keys in a slot.
>
> people can do their own programming work with your APIs if they exist in order
> to adapt with HSM devices?
"your APIs" = pkcs#11 and HSM vendors should support that.
> Are there any body ever met the problem as ours?
OpenDNSSEC lists a bunch a HSMs that work with it and AFAICT they all
do pkcs#11.
Regards,
--
Miek Gieben http://miek.nl_______________________________________________
Opendnssec-user mailing list
[email protected]
https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
