[dns-operations] OpenHardware FPGA-based HSM SCA6000 with OpenSSL?

Miek Gieben miek at miek.nl
Mon Oct 15 17:09:06 UTC 2012

[ Quoting <gall at switch.ch> in "Re: [dns-operations] OpenHardware F..." ]
> On Mon, 15 Oct 2012 09:13:45 -0700, Paul Hoffman <paul.hoffman at vpnc.org> said:
> > On Oct 15, 2012, at 7:39 AM, Alexander Gall <gall at switch.ch> wrote:
> >> A hardware HSM allows you to detect when your keys get stolen
> >> (provided the hardware does not implement extraction of the keys, of
> >> course).  In our case, this is the *only* reason we use a HSM at all.
> > A properly-designed software-based HSM in a tamper-evident box would have the same property.
> Of course.  I'm not sure if that was what Miek implied in his
> question, though.  If it was, my point is obviously moot.

Well, I'm not sure :) I was thinking that making your own hardware might be a
step to far and was interested in the reasons for doing so. Hence my question.

Making a tamper-evident box with SoftHSM is (I think) much easier to do, more 
scalable and done quicker.

But isn't OpenDNSSEC created for this?


    Miek Gieben                                                   http://miek.nl
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: Digital signature
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20121015/2b119435/attachment.sig>

More information about the dns-operations mailing list