PKCS#11 stuff: "sign-only" vs "crypto-accelerator"
Evan Hunt
each at isc.org
Thu Feb 11 00:15:59 UTC 2010
> I understand all this. The question I'm asking is "In a DNSSEC ZONE
> GENERATION CONTEXT, what other operations than key generation and zone
> signing are there?". And if there is nothing else, then what is the
> *practical* difference between "crypto accelerator" and "sign only" when
> I'm only interested in zone generation?
I see. Signing means "hash the data, then encrypt the hash with the
private key". dnssec-signzone will also verify correctness by validating
the signed data, which means "decrypt the hash with the public key,
hash the data, and compare the two hashes".
As I understand it, in sign-only mode, the HSM is only used for "encrypt
the hash with the private key", and the CPU is used for hashing the data
and decrypting with the public key.
--
Evan Hunt -- each at isc.org
Internet Systems Consortium, Inc.
More information about the bind-workers
mailing list