Replies: 1 comment
-
|
SignServer is not caching any signature input (the thing you want to have signed) or the signature output (that we get from the cryptographic device). Even if you send the same data to be signed multiple it would be sent by SignServer to the cryptographic interface every time. In theory if you use a deterministic signature algorithm and provide the same data every time so the signature output always is the same then a cache could make sense to implement. The HSM driver could in theory be "clever" and do something like that and not bother the HSM if it seen the same data but I would doubt it. I would double-check how you determine that the HSM is not being called. |
Beta Was this translation helpful? Give feedback.
Uh oh!
There was an error while loading. Please reload this page.
-
I’m using the SignServer Community Edition and have observed that the HSM is not being called for every signing request. Despite this, the signed data is still returned correctly to the client.
Could someone clarify what mechanism SignServer uses in this scenario? Is it caching key handles, using session-based signing, or applying some other optimization?
Additionally, is this behavior considered secure and aligned with best practices for cryptographic key usage?
Beta Was this translation helpful? Give feedback.
All reactions