[dns-operations] .de DNSSEC issue root cause
Paul Wouters
paul at nohats.ca
Wed Jun 17 02:42:54 UTC 2026
On Mon, 15 Jun 2026, Petr Špaček wrote:
> On 12. 06. 26 20:05, Randy Bush wrote:
>>> - choose your HSM vendors carefully so that there are opportunities to
>>> replicate secrets between HSMs without exposing them. This is not
>>> impossible.
>> no standard exists
>
> Define 'standard'.
>
> PKCS#11 offers C_WrapKey operation to export private keys without exposing
> them in plain text. C_UnwrapKey then imports it on the other end.
You misunderstood. PKCS#11 can encrypt / decrypt, but you would still
know the key, and thus can obtain the key material being encrypted.
A real HSM to HSM transport of keys involve some kind of system where
the key material is encrypted in a form where you do not have the
decryption key but the other HSM does have the decryption key. An
example of this is a new iphone that pulls in data from an old iphone.
The iphones setup a session in such a way that key material does from
one secure enclave to the other, but outside that enclave (even on
the running iOS) there are not ways to decrypt this data stream.
Yes, two HSMs could do an IKE or TLS ephemeral key exchange to get a
session going over which they can securely transport whatever, but as
Randy said, there is no standard for that (And most HSMs dont have an
IP stack, it is usually the OS in front of it that does that part).
Paul
More information about the dns-operations
mailing list