PKCS#11 stuff: "sign-only" vs "crypto-accelerator"

[Johan Ihren]

Hi Evan,

On 10 Feb 2010, at 19:21, Evan Hunt wrote:

>> 5. I'd really like to get away from the ugly and confusing K-files. As
>> the keys are in the HSM and dnssec-signzone is talking to the HSM it
>> would seem that we're soo close but still need to do the extraction of
>> the public key to a K-file.
> 
> The public key needs to be somewhere--in the DNSKEY RRset for your zone,
> if nothing else--and a reference to the private key needs to be somewhere
> that named can find it, too, or else how does named know which HSM key
> to use?

Of course. So there needs to be meta data. Meta data per zone, not per key.

> The named code itself doesn't really understand HSMs; it just knows how to
> load a key file.  Loading the key file produces an object in memory, which
> is either a blob of key data or a reference to an HSM key.  Either way,
> named passes that object off to openssl, which figures out what to do with
> it.

Of course. So there needs to be meta data that contains a reference to a key, either in a HSM, in a file or in my pocket. 

>> My guess is that the only real need left is the meta data in the new
>> K-file format. If so, I think you would do the world a major service if
>> you moved the meta data somewhere else (a single file for meta data about
>> all keys?) before letting all the 9.7-changes loose in a release version.
> 
> In fact, I do wish I had done this.  It's too late for 9.7.0 now, but we
> may change the metadata storage in a future release.  I had originally
> planned to use a third K* file, probably called K*.meta, and leave the
> format of the .private file alone.  I talked myself out of it, and now
> I've come to regret that.

;-)

I understand that it is too late for 9.7.0, but when(!) you change this in a future release, please consider not locating it in K*.meta but rather in a file per zone with a predictable name. Having to scan directories is not a great idea.

Regards,

Johan