[dns-operations] Summary: Anyone still using a Sun/Oracle SCA6000 with OpenSSL?

George Michaelson ggm at apnic.net
Mon Oct 15 04:45:10 UTC 2012

On 15/10/2012, at 2:41 PM, Richard Lamb <richard.lamb at icann.org> wrote:

> Why not the tpm migration method? I. E.
> The receiving hsm produces the public half of a master storage key.  
> Then the starting hsm "authorizes" the key for use for exporting with pomp and circumstance ;-)
> Then the starting hsm encrypts it's keys with this key (rsa) for transfer to the receiving hsm.
> Receiving hsm unwraps the key using its private key.
> Done

Its not a 'standard' as I understand it.

its a fine idea. Its pretty much what Steve Kent said people do, but I've found SafeNet went out of their way to make this hard.

you have to do a wierd RSA key induction process by cosigning the RSA key with a 3DES as a cipher block chain then un=encode on the HSM, then re-bless they key for use as a masking/signing key, then use it to mask sign another key which has been flagged as suitable for export and at each stage, there are points where if you are in FIPS mode it can wipe because you said you wouldn't do that...

its really ugly.

migration to another safenet? easy-as: bless it with the same security officer key, put it in the same 'domain' and just copy the damn keys over


More information about the dns-operations mailing list