PKCS#11 stuff: "sign-only" vs "crypto-accelerator"
Paul Wouters
paul at xelerance.com
Wed Feb 10 17:07:03 UTC 2010
On Wed, 10 Feb 2010, Johan Ihren wrote:
> Follow up question:
>
> 5. I'd really like to get away from the ugly and confusing K-files. As the keys are in the HSM and dnssec-signzone is talking to the HSM it would seem that we're soo close but still need to do the extraction of the public key to a K-file.
The K* files are really useful in environments that migrate from/to an HSM or that have only
some keys in the HSM but not all (KSK vs ZSK for example). It would be bad if the K files go
away. those are also kind of becoming a 'standard' way of storing this information.
> My guess is that the only real need left is the meta data in the new K-file format. If so, I think you would do the world a major service if you moved the meta data somewhere else (a single file for meta data about all keys?) before letting all the 9.7-changes loose in a release version.
That would make me unhappy :/
Paul
More information about the bind-workers
mailing list