PKCS#11 stuff: "sign-only" vs "crypto-accelerator"
Johan Ihren
johani at johani.org
Wed Feb 10 15:38:35 UTC 2010
On 10 Feb 2010, at 13:03, Johan Ihren wrote:
> I'm playing with this (9.7.0rc2) and have a few questions.
Follow up question:
5. I'd really like to get away from the ugly and confusing K-files. As the keys are in the HSM and dnssec-signzone is talking to the HSM it would seem that we're soo close but still need to do the extraction of the public key to a K-file.
My guess is that the only real need left is the meta data in the new K-file format. If so, I think you would do the world a major service if you moved the meta data somewhere else (a single file for meta data about all keys?) before letting all the 9.7-changes loose in a release version.
So this turned out to not be a question at all but rather a request to reconsider the change of the K-file format for the first time in ten years and instead consider putting the new stuff elsewhere to simplify future removal of the K-files altogether.
On the other hand it could be that I'm missing something and that there are more reasons for why it would be really hard to entirely do away with the K-files in spite of the actual key material being stored in the HSM.
Regards,
Johan
More information about the bind-workers
mailing list