[Freeipa-devel] DNSSEC design page
Jan Cholasta
jcholast at redhat.com
Tue Feb 25 15:00:36 UTC 2014
On 25.2.2014 15:48, Ludwig Krispenz wrote:
>
> On 02/25/2014 03:11 PM, Simo Sorce wrote:
>> On Tue, 2014-02-25 at 14:54 +0100, Ludwig Krispenz wrote:
>>>> Any reason why we should follow in detail what softshm does ?
>>> because I did't know what is really needed. If you want to have a
>>> pkcs11
>>> module, which stores data in ldap, I though it should have all the
>>> attributes potentially needed.
>>> Jan said taht OpenDNSSEC uses CKA_VERIFY, CKA_ENCRYPT, CKA_WRAP,
>>> CKA_SIGN, CKA_DECRYPT, CKA_UNWRAP, CKA_SENSITIVE, CKA_PRIVATE,
>>> CKA_EXTRACTABLE,
>>> so there is at least one requirement for fine grained attributes.
>> Does OpenDNSSEC store them as separate entities and need access to them
>> independently ?
> It's all individual records in the attribute table in teh sql database,
> dont know what the access pattern is.
>> Or is this internal use that can be satisfied by unpacking a blob in
>> OpenDNSSEC ?
>>
>> What does bind9 uses ? Petr, can you provide example key files ?
>>
>> Simo.
>>
>
Both OpenDNSSEC and BIND use PKCS#11 directly, so no blob unpacking.
IMO key material (modulus, exponents, etc.) should be stored in a blob,
but metadata (such as the CKAs above) should be in separate attributes
(for starters, I don't think there is a way to encode them in PKCS#8, so
we would have to invent our own blob type for private keys).
--
Jan Cholasta
More information about the Freeipa-devel
mailing list