Eddy,
Eddy Nigg wrote:
On 03/12/2009 04:04 AM, Nelson B Bolyard:
In our organization we use nss to validate CRLs of the Belgian
Government.
In a few months it is expected that these CRLs will grow exponentially.
It will be necessary to download many gigabytes of CRLs each day.
So, you see this problem coming in advance. That's good. Maybe someone
should be looking into how this revocation problem can be solved without
gigabytes of CRLs, like OCSP for example.
Or perhaps look into the reasons for the revocations? A gigabyte sized
CRL is about 8,000,000,000 revocations. Doesn't sound reasonable to me.
There aren't that many world citizens, not speaking about certs...
No, it isn't. That would be true only if a CRL entry was a single bit.
But a CRL entry contains the serial number, revocation date, reason
code, and possibly other information. It's also ASN.1 encoded. A CRL
entry is rarely less than about 25 bytes. A gigabyte CRL would represent
about 40 million revocations.
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
