Re: [OpenCA-Devel] New ERACOM HSM

Fri, 08 Jul 2005 03:03:54 -0700 

Michael Bell wrote:
[...]
If you tested the 0.9.2 version with and without the hardware token then you can commit but please write a notice to the developerlist because we have to verify that nCipher and Luna still work. 

Yes, yes... :-D


I see no problem with the patch of the OpenCA::OpenSSL module (I think 
you do not mean Token::OpenSSL). Until now every new HSM required some 
small changes in OpenCA::OpenSSL because every vendor use another detail 
of the OpenSSL engine interface. If ERACOM works then commit it, so that 
everyone can test it.



BTW can you add some small notices to guide/admin/token.xml or mail me 
the notes as normal text. A good documentation prevents a lot of questions.


And it is needed... I will submit all the code and the docs in the next
days when I'll have time to perform final tests... I was waiting for the
docs to be re-organised and my work to be finished :-D

I have one problem though. I still have errors if I set the HW to FIPS140-2
mode probably because no public crypto (unauthenticated to the partition) is
allowed, therefore I need to set the auth on all operations either if them
do not imply the usage of the CA's private key... I could use the ENV::
approach on the token.xml for the OpenSSL but, in this way, the CA's passwd
would be stored in clear on the file... could we add a new keyword that
specify for the token that a pwd is to be used for every operations ?
For example:

        <name>require_auth</name>
        <value>yes</value>

Therefore if the require_auth option is set to yes a sort of login-like
password may be asked. This is different from the CA's key.

Another patch I am thinking about to extend compatibility with future HSM
is to provide special parameters for token. This will help to pass additional
params to the ENGINE. For example we could use something like:

        <option>
                <name>engine_opt</name>
                <value>-hwkey 0/CA</value>
        </option>

these options will be added after the '-engine XXX' extension.

What do you think ???

--

Best Regards,

        Massimiliano Pala

--o------------------------------------------------------------------------
Massimiliano Pala [OpenCA Project Manager]      [EMAIL PROTECTED]
                                                 Tel.:   +39 (0)11  564 7081
http://security.polito.it                       Fax:    +39   178  270 2077
                                                 Mobile: +39 (0)347 7222 365

Politecnico di Torino (EuroPKI)
Certification Authority Informations:

Authority Access Point                                  http://ca.polito.it
Authority's Certificate:          http://ca.polito.it/ca_cert/en_index.html
Certificate Revocation List:              http://ca.polito.it/crl02/crl.crl
--o------------------------------------------------------------------------



Attachment:
smime.p7s

Description: S/MIME Cryptographic Signature






















					Reply via email to