On Tue, Oct 4, 2016 at 6:29 AM, Rob Stradling <rob.stradl...@comodo.com> wrote: > On 04/10/16 13:18, Nick Lamb wrote: >> On Tuesday, 4 October 2016 11:14:01 UTC+1, Rob Stradling wrote: >>> Neither. I'd like to run cablint over all certs pre-issuance, but >>> unfortunately it's not practical to do this yet because 1) cablint is >>> too slow and 2) there are some differences of opinion that have been >>> discussed at CABForum but not yet resolved. >> >> Can you expand on what "too slow" would mean here? Or does it tread too much >> on specific commercial performance criteria you don't want to talk about? > > Running cablint means firing up the Ruby interpreter, then fork/exec'ing > a separate executable umpteen times. IIRC, last time I checked, crt.sh > was only managing to cablint ~10 certs per second. (Prior to that, > before I'd figured out a way to avoid having to take the "firing up the > Ruby interpreter" hit again and again for every single cert, it was only > managing to cablint ~3 certs per second).
cablint could be much faster if the asn1 code could be moved in process. Doing so requires someone who can work in C and has some experience building Ruby extensions. This change would avoid the many many fork/exec calls during a single certificate lint. If anyone is willing to volunteer, I can provide more detail. Thanks, Peter _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy