Free Trial

Safari Books Online is a digital library providing on-demand subscription access to thousands of learning resources.

Share this Page URL
Help

Chapter 4: Smartcards > Considerations and caveats - Pg. 58

Note that if the server ID includes a large Notes key pair (1024+ bit), we do not recommend shifting the private key portion to a conventional smartcard (a technique discussed in 4.3.3, "Shift a large Notes key to smartcard" on page 56), because this severely slows the many cryptographic operations needing the key (such as Notes client authentication and database decryption). We do not recommend shifting unless it be to a cryptographic accelerator. Domino and cryptographic accelerators (SSL) Lotus extended Notes and Domino 7 to support cryptographic accelerator products featuring a PKCS #11 interface. Cryptographic accelerators have conventionally been used to alleviate the severe performance penalty involved with SSL-encrypted network traffic. Optimized to execute cryptographic operations and loaded with parallel microprocessors, these products boost scalability when facing heavy loads of encrypted traffic. Historically, Domino provided no direct support for these devices. This changes with Domino 7. Domino 7 brings support for multithreaded, multiconnection stream cryptography and for storing and accessing SSL private keys on PKCS #11-compliant devices. The Domino proprietary *.kyr key ring file format continues to be used in its SSL implementation, but Domino 7 now supports indirect access of the X.509 private key portion, similar to the private key indirection discussed earlier in regards to Notes IDs. However, a user interface has not been provided yet to effect the shift of a key ring file's private key to PKCS #11 interfaced storage. Instead, for the time being, the Notes C API function SECManipulateSC() (see 4.4.1, "Notes C API support" on page 57) has been extended with the operation code SC_manip_PushKyrKey, meaning a short, simple Notes C API program must be coded to prepare a server's key ring and ID files to engage in private key indirection. As alluded to earlier, if the server's ID is based on a large Notes key pair, the private key portion can be shifted to the accelerator's PKCS #11 interfaced storage, thus benefiting server-based cryptographic operations involving that key (client authentication and database