signing using a network device and timeouts

[paul <pp...@yahoo.com>]

If I sign an xml doc using a filesystem cert, then errors like timeouts and 
server not found are not an issue, but I'm starting to look an architecture 
where a locked down network device (net hsm) holds the private key. In this 
case the keystore is initialized w/ a special provider name. For this flow a 
network roundtrip happens during signing and errors could occur. Is there 
anyway to specify things like timeouts? Or is this hidden in the provider code 
and only exposed thru exceptions?

thanks,
Paul.

Re: signing using a network device and timeouts

[Arshad Noor <ar...@strongauth.com>]

While I cannot speak for the innards of santuario too much, parameters
related to cryptographic hardware modules are provider-specific details.
Every hardware vendor has parameters that work only with their provider
library.  Cryptographic application libraries - like santuario - only
pass through these details and report in exceptions what the hardware
provider reports.

You can always configure the HSM to log its communications with the
XMLSignature library in detail while you're developing/debugging your
application code.  Once done, you can ramp down the logging to suit
your operational needs.

Arshad Noor
StrongAuth, Inc.

On 03/15/2012 02:05 PM, paul wrote:
>
> If I sign an xml doc using a filesystem cert, then errors like timeouts and
> server not found are not an issue, but I'm starting to look an architecture
> where a locked down network device (net hsm) holds the private key. In this
> case the keystore is initialized w/ a special provider name. For this flow a
> network roundtrip happens during signing and errors could occur. Is there
> anyway to specify things like timeouts? Or is this hidden in the provider code
> and only exposed thru exceptions?
>
> thanks,
> Paul.
>