Yeah, > However, with SoftHSM you still deal with key material in software, aka > process memory of the CPU. The symmetric wrapping keys has no more > protection than the private key to the wrapped.
True. But as long as it sits behind the generic PKCS #11 API that is a choice made at deployment time by the operator; any other HSM can replace it if so desired. Bypassing PKCS #11 to do all private key processing in the PKCS #11 client software renders that option invalid. -Rick _______________________________________________ Opendnssec-user mailing list [email protected] https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
