Re: Is it worth accepting multiple CRLs?

Greetings,

* Kyotaro Horiguchi (horikyota(dot)ntt(at)gmail(dot)com) wrote:
> At Mon, 03 Aug 2020 16:20:40 +0900 (JST), Kyotaro Horiguchi <horikyota(dot)ntt(at)gmail(dot)com> wrote in
> > Thanks for the opinion. I'll continue working on this.
>
> This is it, but..

Thanks!

> Looking closer I realized that certificates are verified in each
> backend so CRL cache doesn't work at all for the hashed directory
> method. Therefore, all CRL files relevant to a certificate to be
> verfied are loaded every time a backend starts.
>
> The only advantage of this is avoiding irrelevant CRLs from being
> loaded in exchange of loading relevant CRLs at every session
> start. Session startup gets slower by many delta CRLs from the same
> CA.
>
> Seems far from promising.

I agree that it's not ideal, but I don't know that this is a reason to
not move forward with this feature..?

We could certainly have a later patch which improves this in some way
(though exactly how isn't clear... if we move the CRL loading into
postmaster then we'd have to load *all* of them, and then we'd still
need to check if they've changed since we loaded them, and presumably
have some way to signal the postmaster to update its set from time to
time..), but that can be a future effort.

I took a quick look through the patch and it seemed pretty straight
forward to me and a good improvement.

Would love to hear other thoughts. I hope you'll submit this for the
September CF and ping me when you do and I'll see if I can get it
committed.

Thanks!

Stephen