Dave,
Yes, I did some benchmarks many years ago when I worked on the CRL cache.
I was using a 26 MB CRL, and it was about 1 million revoked certs I believe.
The RAM usage is significant, I think you can count on about 4-6x the
size of the CRL. A CRL of that size may be OK on today's machines. But a
gigabyte CRL would probably consume 4GB+ of RAM. It would require a
64-bit box, 64-bit app, and lots of RAM. This may be achievable for some
server apps. Definitely not for client apps.
Other than RAM, the other limiting factors in terms of performance for
CRLs are :
1) transfer time. I was using a CRL stored in cert8.db at the time.
Even with the fastest hard disks today, effective read speed won't be
more than 100 MB/s . So you are talking about at minimum 10 seconds.
And if you are transferring the entire CRL from the network . Well,
let's just say it could be much longer. On an average 1.5 mbit/s
connection your CRL will take about 2 hours to transfer. :)
2) ASN.1 decoding time . That's one thing I did a lot of work on also. I
don't have any CRL as large to tell you how long it would take on
current machine.
Once the CRL is transferred, decoded, and cached in RAM, provided you
haven't run out of RAM and your machine is not swapping, the lookup time
is then a fixed time - it's a couple of hash table lookups, regardless
of the CRL size.
dave davesons wrote:
Hi again,
Does anyone know of any benchmarks regarding the size of CRLs towards
performance? Or how much CRLs are supported at most?
2009/3/12 dave davesons <dave.daves...@gmail.com
<mailto:dave.daves...@gmail.com>>
Hi,
thanks for the clarification. BTW: OCSP is available in belgium. But
we like to have a fallback....
2009/3/12 Nelson B Bolyard <nel...@bolyard.me>
dave ("Mike") davesons wrote, On 2009-03-11 08:52:
> In our organization we use nss to validate CRLs of the
Belgian Government.
> In a few months it is expected that these CRLs will grow
exponentially.
> It will be necessary to download many gigabytes of CRLs each day.
So, you see this problem coming in advance. That's good. Maybe
someone
should be looking into how this revocation problem can be solved
without
gigabytes of CRLs, like OCSP for example.
> Therefore, delta CRL seem to become necessary.
> Is there already any progress on the delta CRLs?
>
> kind regards,
> Mike
No, there are no plans for delta CRLs.
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
<mailto:dev-tech-crypto@lists.mozilla.org>
https://lists.mozilla.org/listinfo/dev-tech-crypto
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
