Re: delta crl support
Hi, thanks for the clarification. BTW: OCSP is available in belgium. But we like to have a fallback 2009/3/12 Nelson B Bolyard nel...@bolyard.me dave (Mike) davesons wrote, On 2009-03-11 08:52: In our organization we use nss to validate CRLs of the Belgian Government. In a few months it is expected that these CRLs will grow exponentially. It will be necessary to download many gigabytes of CRLs each day. So, you see this problem coming in advance. That's good. Maybe someone should be looking into how this revocation problem can be solved without gigabytes of CRLs, like OCSP for example. Therefore, delta CRL seem to become necessary. Is there already any progress on the delta CRLs? kind regards, Mike No, there are no plans for delta CRLs. -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: delta crl support
Hi again, Does anyone know of any benchmarks regarding the size of CRLs towards performance? Or how much CRLs are supported at most? 2009/3/12 dave davesons dave.daves...@gmail.com Hi, thanks for the clarification. BTW: OCSP is available in belgium. But we like to have a fallback 2009/3/12 Nelson B Bolyard nel...@bolyard.me dave (Mike) davesons wrote, On 2009-03-11 08:52: In our organization we use nss to validate CRLs of the Belgian Government. In a few months it is expected that these CRLs will grow exponentially. It will be necessary to download many gigabytes of CRLs each day. So, you see this problem coming in advance. That's good. Maybe someone should be looking into how this revocation problem can be solved without gigabytes of CRLs, like OCSP for example. Therefore, delta CRL seem to become necessary. Is there already any progress on the delta CRLs? kind regards, Mike No, there are no plans for delta CRLs. -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: delta crl support
Dave, Yes, I did some benchmarks many years ago when I worked on the CRL cache. I was using a 26 MB CRL, and it was about 1 million revoked certs I believe. The RAM usage is significant, I think you can count on about 4-6x the size of the CRL. A CRL of that size may be OK on today's machines. But a gigabyte CRL would probably consume 4GB+ of RAM. It would require a 64-bit box, 64-bit app, and lots of RAM. This may be achievable for some server apps. Definitely not for client apps. Other than RAM, the other limiting factors in terms of performance for CRLs are : 1) transfer time. I was using a CRL stored in cert8.db at the time. Even with the fastest hard disks today, effective read speed won't be more than 100 MB/s . So you are talking about at minimum 10 seconds. And if you are transferring the entire CRL from the network . Well, let's just say it could be much longer. On an average 1.5 mbit/s connection your CRL will take about 2 hours to transfer. :) 2) ASN.1 decoding time . That's one thing I did a lot of work on also. I don't have any CRL as large to tell you how long it would take on current machine. Once the CRL is transferred, decoded, and cached in RAM, provided you haven't run out of RAM and your machine is not swapping, the lookup time is then a fixed time - it's a couple of hash table lookups, regardless of the CRL size. dave davesons wrote: Hi again, Does anyone know of any benchmarks regarding the size of CRLs towards performance? Or how much CRLs are supported at most? 2009/3/12 dave davesons dave.daves...@gmail.com mailto:dave.daves...@gmail.com Hi, thanks for the clarification. BTW: OCSP is available in belgium. But we like to have a fallback 2009/3/12 Nelson B Bolyard nel...@bolyard.me dave (Mike) davesons wrote, On 2009-03-11 08:52: In our organization we use nss to validate CRLs of the Belgian Government. In a few months it is expected that these CRLs will grow exponentially. It will be necessary to download many gigabytes of CRLs each day. So, you see this problem coming in advance. That's good. Maybe someone should be looking into how this revocation problem can be solved without gigabytes of CRLs, like OCSP for example. Therefore, delta CRL seem to become necessary. Is there already any progress on the delta CRLs? kind regards, Mike No, there are no plans for delta CRLs. -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org mailto:dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
RE: delta crl support
Dear, In our organization we use nss to validate CRLs of the Belgian Government. In a few months it is expected that these CRLs will grow exponentially. It will be necessary to download many gigabytes of CRLs each day. Therefore, delta CRL seem to become necessary. Is there already any progress on the delta CRLs? kind regards, Mike sg4all wrote, On 2008-12-22 06:46: Dear all, does the current version of nss already support delta crls? No. Presently, No version of NSS supports delta CRLs. There are no definite plans to do so, at this time. It has been on the wish list for a long time. I can only find old information about this. Where can I find up to date info about such information? It may be that the information you found, while old, is nonetheless current. -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: delta crl support
dave (Mike) davesons wrote, On 2009-03-11 08:52: In our organization we use nss to validate CRLs of the Belgian Government. In a few months it is expected that these CRLs will grow exponentially. It will be necessary to download many gigabytes of CRLs each day. So, you see this problem coming in advance. That's good. Maybe someone should be looking into how this revocation problem can be solved without gigabytes of CRLs, like OCSP for example. Therefore, delta CRL seem to become necessary. Is there already any progress on the delta CRLs? kind regards, Mike No, there are no plans for delta CRLs. -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: delta crl support
On 03/12/2009 04:04 AM, Nelson B Bolyard: In our organization we use nss to validate CRLs of the Belgian Government. In a few months it is expected that these CRLs will grow exponentially. It will be necessary to download many gigabytes of CRLs each day. So, you see this problem coming in advance. That's good. Maybe someone should be looking into how this revocation problem can be solved without gigabytes of CRLs, like OCSP for example. Or perhaps look into the reasons for the revocations? A gigabyte sized CRL is about 8,000,000,000 revocations. Doesn't sound reasonable to me. There aren't that many world citizens, not speaking about certs... -- Regards Signer: Eddy Nigg, StartCom Ltd. Jabber: start...@startcom.org Blog: https://blog.startcom.org -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: delta crl support
On 03/12/2009 04:33 AM, Julien R Pierre - Sun Microsystems: No, it isn't. That would be true only if a CRL entry was a single bit. But a CRL entry contains the serial number, revocation date, reason code, and possibly other information. It's also ASN.1 encoded. A CRL entry is rarely less than about 25 bytes. A gigabyte CRL would represent about 40 million revocations. Argg, yes. I went for 125 bytes per entry but multiplied instead of divided. Small difference :-) Still 40 millions or even just 12.5 million revocations doesn't sound reasonable to me anywhere. Better not issues certificates in first place...In short I've never heard of a CLR this size. -- Regards Signer: Eddy Nigg, StartCom Ltd. Jabber: start...@startcom.org Blog: https://blog.startcom.org -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
delta crl support
Dear all, does the current version of nss already support delta crls? I can only find old information about this. Where can I find up to date info about such information? thanks ___ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto