Jean-Marc Desperrier wrote: > Duane wrote: > >> The gain is in the potential to notice revocations sooner with OCSP, CRL >> might have a 7 day TTL/cache time-out, in 7 days a lot of "issues" can >> arise, so being about to check OCSP hourly or even more often has the >> potential to notify you that something is a miss much sooner... > > > If you follow the discussion, Ram says we'll have a *bandwitdh* issue > with CRL.
I've been looking into our usage, and there are up to 6 static IP's downloading our CRL (approx. 173k) at times up to a couple of times a minute, so far this month between the 6 IP's that 173k file has generated 861Megs of traffic... 1 IP alone has done almost 400mbytes, the rest are averaging about 25-50Mbytes... The browser string sent to the website causing the most hits is "CryptRetrieveObjectByUrl::InetSchemeProvider" which I'm still looking into what application is causing it... While this isn't an issue at this stage obviously if we had 1000's of IPs generating 400Mbytes of traffic each (in 13 days), I can now see how CRLs could be a problem... -- Best regards, Duane http://www.cacert.org - Free Security Certificates http://www.nodedb.com - Think globally, network locally http://www.sydneywireless.com - Telecommunications Freedom http://happysnapper.com.au - Sell your photos over the net! http://e164.org - Using Enum.164 to interconnect asterisk servers "In the long run the pessimist may be proved right, but the optimist has a better time on the trip." _______________________________________________ mozilla-crypto mailing list [email protected] http://mail.mozilla.org/listinfo/mozilla-crypto
