On Fri, 20 Jun 2014, Rick van Rein wrote:
What you want is a bypass for private key protection… which is exactly what PKCS #11 is designed to avoid.
But the key extraction could be via non-PKCS#11 method. It could also insist on some additional permissions (unix, selinux or otherwise).
This sounds to me like you should not be looking for problem resolution in SoftHSM, but in the surrounding process. It might transpire that your application is unsuitable for use with PKCS #11, or requires more advanced cryptography that can deal with encapsulated private keys.
hardware HSMs often also allow some kind of export, to allow running the same private keys amonst shared devices. Usually, after sharing they can be put into a no-more-export mode. With softhsm, the library could still not allow any exports while some softhsm util could allow this. Paul (note that I don't know the details of Petr's requirements) _______________________________________________ Opendnssec-user mailing list [email protected] https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
