[Freeipa-devel] DNSSEC design page
Petr Spacek
pspacek at redhat.com
Tue Feb 25 14:59:50 UTC 2014
On 25.2.2014 15:11, Simo Sorce wrote:
> On Tue, 2014-02-25 at 14:54 +0100, Ludwig Krispenz wrote:
>>> Any reason why we should follow in detail what softshm does ?
>> because I did't know what is really needed. If you want to have a
>> pkcs11
>> module, which stores data in ldap, I though it should have all the
>> attributes potentially needed.
>> Jan said taht OpenDNSSEC uses CKA_VERIFY, CKA_ENCRYPT, CKA_WRAP,
>> CKA_SIGN, CKA_DECRYPT, CKA_UNWRAP, CKA_SENSITIVE, CKA_PRIVATE,
>> CKA_EXTRACTABLE,
>> so there is at least one requirement for fine grained attributes.
>
> Does OpenDNSSEC store them as separate entities and need access to them
> independently ?
AFAIK OpenDNSSEC uses purely PKCS#11 for key manipulation so LDAP schema
doesn't matter as long as our PKCS#11 module can derive all values defined by
standard.
Honza, you did investigate OpenDNSSEC integration, please add some details if
you can.
> Or is this internal use that can be satisfied by unpacking a blob in
> OpenDNSSEC ?
>
> What does bind9 uses ? Petr, can you provide example key files ?
Private+public keys stored in files:
https://www.redhat.com/archives/freeipa-devel/2014-February/msg00463.html
Private keys stored in HSM and public keys in files:
https://www.redhat.com/archives/freeipa-devel/2014-February/msg00333.html
(I.e. some values in .private file are replaced by PKCS#11 label.)
--
Petr^2 Spacek
More information about the Freeipa-devel
mailing list