Slightly off-topic but I guess some of you guys have more insight in HSMs than most other people have :-)
In a recent project there were a requirement for frequent and *automated* renewals of certificates. The renewal procedure is based on creating a self-signed request which is then signed by the original key. It appears that the new key cannot (for a *remote* CA) be guaranteed to have been created and residing in the HSM which means that even if you use a rigorous "key ceremony" for the initial key you will almost be down at the "soft token" level after the very first renewal :-) Comments? Anders _______________________________________________ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel