PKCS#11 stuff: "sign-only" vs "crypto-accelerator"

[Johan Ihren]

On 10 Feb 2010, at 18:07, Paul Wouters wrote:

> On Wed, 10 Feb 2010, Johan Ihren wrote:
> 
>> Follow up question:
>> 
>> 5. I'd really like to get away from the ugly and confusing K-files. As the keys are in the HSM and dnssec-signzone is talking to the HSM it would seem that we're soo close but still need to do the extraction of the public key to a K-file.
> 
> The K* files are really useful in environments that migrate from/to an HSM or that have only
> some keys in the HSM but not all (KSK vs ZSK for example). It would be bad if the K files go
> away. those are also kind of becoming a 'standard' way of storing this information.

I know. But "standard" today is a very, very small number of installations today compared to what we hope to have in a few years time. And the K-files are an artifact of a prior age (when encryption was considered dangerous and we were all young and inexperienced).

Step outside the convenience of the K-files that you know and try to design this from scratch in an environment where the cost of an HSM is dropping rapidly (actually dropping to zero if you include software alternatives). Taking rollovers and standby keys into account we're talking about ~8 K-files per zone and there are many installations with hundreds or thousands of zones (and more than that).

Would oodles of K-files with unpredictable names be the solution you came up with? Really?

>> My guess is that the only real need left is the meta data in the new K-file format. If so, I think you would do the world a major service if you moved the meta data somewhere else (a single file for meta data about all keys?) before letting all the 9.7-changes loose in a release version.
> 
> That would make me unhappy :/

You have my sympathy ;-) And I agree that it is unlikely that the K-files will go away soon. I'm just arguing that we should make it easier, not harder, to get there. And not storing new meta data in the K-files would be a good choice from that POV.

Johan