[dns-operations] Summary: Anyone still using a Sun/Oracle SCA6000 with OpenSSL?

Ondřej Surý ondrej.sury at nic.cz
Sun Oct 14 19:01:25 UTC 2012 

On 14. 10. 2012, at 13:37, Carlos M. Martinez <carlosm3011 at gmail.com> wrote:

> That could be a really interesting project. I'm not sure how can I contribute, but I'd love to see that happen.

Even helping defining requirements (when we start gathering them) would be tremendous help...

> ~Carlos
> 
> On 10/14/12 3:10 PM, Ondřej Surý wrote:
>> Just a question - would anyone would be interested in joining a project to build an OpenHardware FPGA-based HSM with focus on DNSSEC?
>> 
>> O.
>> 
>> On 16. 8. 2012, at 2:24, George Michaelson 
>> <ggm at apnic.net>
>>  wrote:
>> 
>> 
>>> I got 8 replies. 2 ccTLD, 2 root Ops, almost everyone in s/w development or operational related roles, and some independent consultants.
>>> 
>>> Only one happy user, and I'd qualify that: they'd want a longterm migration plan off the device. This person is using Solaris.
>>> 
>>> Everyone said avoid more than 255 keys on the device. Several said use the import/export mechanism.
>>> 
>>> Two people explicitly mentioned the bad Linux driver. 
>>> 
>>> The overall tone of the (small sample) responses is: "this is not a good choice right now"
>>> 
>>> 
>>> My context is not DNSSEC, its RPKI, which has a far larger keypair requirement. Noting a suggestion to re-use keypairs, I'd still have to risk-manage future potential for multiple keys per hosted client, and exceed the on-card keystore size, so the suggestion to use the import/export features makes sense. Having said that, documentation on this is really scant, and its hard to confirm how easily you can manage this given there is no explicit OpenSSL PKCS11 support for managing PKCS12 wrapped objects, and you are therefore using a java or shell command to do the key import, followed by OpenSSL engine, followed by shell/java to remove the key. 
>>> 
>>> If you use a pure Java solution its probably more tenable.
>>> 
>>> Thank you to everyone for the response. I hope this summary meets a sense of privacy, and OT posting.
>>> 
>>> -G
>>> _______________________________________________
>>> dns-operations mailing list
>>> 
>>> dns-operations at lists.dns-oarc.net
>>> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
>>> 
>>> dns-jobs mailing list
>>> 
>>> https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
>> --
>>  Ondřej Surý -- Chief Science Officer
>>  -------------------------------------------
>>  CZ.NIC, z.s.p.o.    --    Laboratoře CZ.NIC
>>  Americka 23, 120 00 Praha 2, Czech Republic
>>  
>> mailto:ondrej.sury at nic.cz    http://nic.cz/
>> 
>>  tel:+420.222745110       fax:+420.222745112
>>  -------------------------------------------
>> 
>> 
>> 
>> 
>> _______________________________________________
>> dns-operations mailing list
>> 
>> dns-operations at lists.dns-oarc.net
>> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
>> 
>> dns-jobs mailing list
>> 
>> https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
> 
> 
> -- 
> 
> --
> Carlos M. Martinez
> LACNIC R+D
> 
> http://www.labs.lacnic.net

--
 Ondřej Surý -- Chief Science Officer
 -------------------------------------------
 CZ.NIC, z.s.p.o.    --    Laboratoře CZ.NIC
 Americka 23, 120 00 Praha 2, Czech Republic
 mailto:ondrej.sury at nic.cz    http://nic.cz/
 tel:+420.222745110       fax:+420.222745112
 -------------------------------------------

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4150 bytes
Desc: not available
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20121014/52df5aa4/attachment.bin>

More information about the dns-operations mailing list