[dns-operations] OpenHardware FPGA-based HSM SCA6000 with OpenSSL?

Luis Diego Espinoza S. lespinoz at nic.cr
Tue Oct 16 14:49:53 UTC 2012

My comments on this,

HSM could be helpful for re-signing process (if you want to do it on hardware cryptography), if it's has a cryptographic accelerator (a different chip).
The concept of sign/s is relevant in this scenario, then a 10 sign/s of a Smart Card versus the 7500 sign/s from the $6k PCI accelerator in the link of Richard Lamb could be relevant for a big zone.

In our case, a device that can sign 1 per second is enough for our 15k domains and reloading time slot of 1 hour (the process takes 15 minutes).
Then, the size of the zone and frequency expected for resigning process are important parameters for the design of the HSM.

Buy an HSM of 25k sign/s only to store keys, no makes sense.

But, it's true, that keeping keys on HSM y signing on software, the general purpose processors like Intel Xeon or AMD is enough.


On Oct 16, 2012, at 10:11 AM, Paul Wouters <paul at cypherpunks.ca> wrote:

> On Tue, 16 Oct 2012, WBrown at e1b.org wrote:
>> What about joining forces with the OpenDNSSEC team to add support for
>> using GPUs to do the number crunching in OpenHSM?  Much of the design work
>> for the HSM and PKCS#11 has already been done.
> Quad core CPU's are more then fast enough for signing even the largest
> TLDs. HSMs are only useful for protecting the keys, not to gain speed.
> Paul
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
> dns-jobs mailing list
> https://lists.dns-oarc.net/mailman/listinfo/dns-jobs

Luis D. Espinoza
Jefe TI - NIC Costa Rica

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20121016/22adb89f/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: firmasNicLDE-ES.jpg
Type: image/jpeg
Size: 60615 bytes
Desc: not available
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20121016/22adb89f/attachment.jpg>

More information about the dns-operations mailing list