<html>
<head>
<meta content="text/html; charset=UTF-8" http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
That could be a really interesting project. I'm not sure how can I
contribute, but I'd love to see that happen.<br>
<br>
~Carlos<br>
<br>
On 10/14/12 3:10 PM, Ondřej Surý wrote:
<blockquote cite="mid:69C4FA3D-35F4-4BDB-8A27-03F861856D89@nic.cz"
type="cite">
<pre wrap="">Just a question - would anyone would be interested in joining a project to build an OpenHardware FPGA-based HSM with focus on DNSSEC?
O.
On 16. 8. 2012, at 2:24, George Michaelson <a class="moz-txt-link-rfc2396E" href="mailto:ggm@apnic.net"><ggm@apnic.net></a> wrote:
</pre>
<blockquote type="cite">
<pre wrap="">
I got 8 replies. 2 ccTLD, 2 root Ops, almost everyone in s/w development or operational related roles, and some independent consultants.
Only one happy user, and I'd qualify that: they'd want a longterm migration plan off the device. This person is using Solaris.
Everyone said avoid more than 255 keys on the device. Several said use the import/export mechanism.
Two people explicitly mentioned the bad Linux driver.
The overall tone of the (small sample) responses is: "this is not a good choice right now"
My context is not DNSSEC, its RPKI, which has a far larger keypair requirement. Noting a suggestion to re-use keypairs, I'd still have to risk-manage future potential for multiple keys per hosted client, and exceed the on-card keystore size, so the suggestion to use the import/export features makes sense. Having said that, documentation on this is really scant, and its hard to confirm how easily you can manage this given there is no explicit OpenSSL PKCS11 support for managing PKCS12 wrapped objects, and you are therefore using a java or shell command to do the key import, followed by OpenSSL engine, followed by shell/java to remove the key.
If you use a pure Java solution its probably more tenable.
Thank you to everyone for the response. I hope this summary meets a sense of privacy, and OT posting.
-G
_______________________________________________
dns-operations mailing list
<a class="moz-txt-link-abbreviated" href="mailto:dns-operations@lists.dns-oarc.net">dns-operations@lists.dns-oarc.net</a>
<a class="moz-txt-link-freetext" href="https://lists.dns-oarc.net/mailman/listinfo/dns-operations">https://lists.dns-oarc.net/mailman/listinfo/dns-operations</a>
dns-jobs mailing list
<a class="moz-txt-link-freetext" href="https://lists.dns-oarc.net/mailman/listinfo/dns-jobs">https://lists.dns-oarc.net/mailman/listinfo/dns-jobs</a>
</pre>
</blockquote>
<pre wrap="">
--
Ondřej Surý -- Chief Science Officer
-------------------------------------------
CZ.NIC, z.s.p.o. -- Laboratoře CZ.NIC
Americka 23, 120 00 Praha 2, Czech Republic
<a class="moz-txt-link-freetext" href="mailto:ondrej.sury@nic.cz">mailto:ondrej.sury@nic.cz</a> <a class="moz-txt-link-freetext" href="http://nic.cz/">http://nic.cz/</a>
tel:+420.222745110 fax:+420.222745112
-------------------------------------------
</pre>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
dns-operations mailing list
<a class="moz-txt-link-abbreviated" href="mailto:dns-operations@lists.dns-oarc.net">dns-operations@lists.dns-oarc.net</a>
<a class="moz-txt-link-freetext" href="https://lists.dns-oarc.net/mailman/listinfo/dns-operations">https://lists.dns-oarc.net/mailman/listinfo/dns-operations</a>
dns-jobs mailing list
<a class="moz-txt-link-freetext" href="https://lists.dns-oarc.net/mailman/listinfo/dns-jobs">https://lists.dns-oarc.net/mailman/listinfo/dns-jobs</a></pre>
</blockquote>
<br>
<br>
<pre class="moz-signature" cols="72">--
--
Carlos M. Martinez
LACNIC R+D
<a class="moz-txt-link-freetext" href="http://www.labs.lacnic.net">http://www.labs.lacnic.net</a></pre>
</body>
</html>