Hello, I just discovered SoftHSM and really like it. I was looking at the Requirements for version 2 [1] and would like to propose an additional option:
In my reasoning, a soft HSM that shares the CPU with other applications is much more vulnerable than one with a dedicated CPU. Therefore, it would be nice to be able to run SoftHSM on a dedicated machine whose only interface exposes PKCS#11 functionality over the network. If the dedicated machine is locked away reasonably well, it surely lacks the tamper-evidence/resistance of real HSMs, but with the right procedures (and a nice locked box), it would probably be a good enough solution for many uses where a SoftHSM on the same machine is insufficient, and a real HSM is too costly. One way of achieving this would be via a simple PKCS#11 proxy that forwards seralized calls over eithernet to the dedicated host of the SoftHSM. In the context of GnuTLS, Alon Bar-Lev has proposed just this[1] but I don't know whether that was implemented (I doubt it). Another project with very similar objectives to SoftHSM, LSM-PKCS11 [3] foresees the serialization of PKCS#11 calls over the network. Some doc and architecture figures can be found here [4] Let me know whether this sounds interesting. kind regards -bud [1] http://trac.opendnssec.org/wiki/SoftHSM/Requirements [2] http://lists.gnupg.org/pipermail/gnutls-dev/2007-April/001502.html [3] http://www.clizio.com/lsmpkcs11.html [4] http://www.clizio.com/download/LSM-PKCS11.pdf _______________________________________________ Opendnssec-user mailing list [email protected] https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
