Re: CA DB Support

Tue, 7 Dec 1999 06:31:35 -0800 

Massimiliano Pala wrote:
> 
> Bruce Stephens wrote:
> 
> > I haven't tested.  I'd guess index.txt would cause some things to slow
> > performance (but possibly not---I'm assuming there are linear searches
> > around).  The public keys seem to be kept in separate files in a
> > directory: however they get used, that's going to cause some prblems
> > on some filesystems.
> >
> > However, I'd guess the current design is probably fine for, say, 10000
> > certificates.  Specific applications might find the scalability a
> > problem, but for most purposes it's fine.
> 
> I have tested it with 500.000 certificates and gave me no problems, but
> our question is about 5/10 Millions of certificates. What about file
> system capabilities (let's say for UNiX systems like Linux/SunOS/FreeBSD/
> etc... ) ???
> 
> Someone has ever got to think about similar problems ???
> 

index.txt is stored in an in memory database: the extended memory
requirements may cause problems if huge numbers of certificates used.

When the database is changed the whole thing is written to disk: again
potential problems of corruption.

Additional problems can arise if you store copies of certificates in the
same directory: a few million files in a directory is not advisable!

'ca' was not initially meant to be used for a full blown CA it was just
a demo. 

I've often considered using some kind of database for certificates. One
problem is getting something that compiles on all platforms.

In the longer term it might be better if things like req, ca, x509
functionality was exposed to something like perl which could make things
a bit friendlier.

Steve.
-- 
Dr Stephen N. Henson.   http://www.drh-consultancy.demon.co.uk/
Personal Email: [EMAIL PROTECTED] 
Senior crypto engineer, Celo Communications: http://www.celocom.com/
Core developer of the   OpenSSL project: http://www.openssl.org/
Business Email: [EMAIL PROTECTED] PGP key: via homepage.

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       [EMAIL PROTECTED]
Automated List Manager                           [EMAIL PROTECTED]

Reply via email to