On 03/16/2010 11:16 PM, Rickard Bellgrim wrote: > On 16 mar 2010, at 13.50, Tomas Gustavsson wrote: > > >> If using PKCS#11 I would personally not go down a path that is not >> commonly used. The common usage of smart cards and hardware security >> modules always stores both the private (as a sensitive object) and the >> public key (either as a public key or as an x.509 certificate). >> This works and is well tested and is sure to work across a wide range of >> smart cards and hardware security modules. >> >> Why is this not suitable for OpenDNSSEC. >> > We currently do use both the private and public key object. It is just that > we have heard different stories. E.g. when I tried to get a similar patch > into pkcs11-tool one year ago. And from others saying that it is important to > save the space in the HSM due to licensing or limited space. > > And your recommendation from the smarcard industry is to use both the private > and public key object? >
Definately my recommendation. I'm also working with all the big HSM vendors and you don't have to save space on any of them, at a minimum you can store about one hundred objects in a single slot. So for PKI purposes there is vast space available. None of the big HSM vendors license per storage, it's simple one-time purchase price of the HSM hardware (+ support costs that are a percentage of the price). Keep it simple :-) Cheers, Tomas _______________________________________________ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel