Uploaded image for project: 'OpenDNSSEC Pivotal History'
  1. OpenDNSSEC Pivotal History
  2. ODSPTHIST-418

Do not require public keys in libhsm

DeliverAcceptReject
    XMLWordPrintable

    Details

    • Type: New Feature
    • Status: Started
    • Resolution: Unresolved
    • Affects Version/s: None
    • Fix Version/s: 61 : 9 Aug
    • Labels:

      Description

      When a key-pair is generated by OpenDNSSEC, we should discard the public key object. There are several reasons to do this:

      • The private key object contains all the information you need on a key, including the public components (CKA_PUBLIC_EXPONENT, CKA_MODULUS). The public key object is only there to facilitate extraction of public key
        material without having to log in to a token.
      • Some HSMs limit the number of objects you can store on them as a licensing model (e.g. Safenet HSMs), and USB tokens can certainly only
        store a very limited number of objects, so not storing the public key object has a big benefit in both these cases
      • Currently, libhsm searches for the whole key-pair, finding both the public and the private key object and matching them up. Cutting out the public key object would improve this because you no longer have to search for it.

        Attachments

          Activity

            People

            Assignee:
            jakob Jakob Schlyter
            Reporter:
            rickard Rickard Bellgrim
            Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

              Dates

              Created:
              Updated: