On Aug 7, 2014, at 9:47 AM, Rob Stradling <rob.stradl...@comodo.com> wrote:
> http://dev.chromium.org/Home/chromium-security/crlsets says: > "The limit of the CRLSet size is 250KB" > > Have Mozilla decided what the maximum OneCRL size will be? No, we haven't. The need for a limit largely depends on whether we cover EE certificates. If we cover only intermediate CAs, of which there are roughly 1,800, then there is no size issue -- we can include the full SHA-256 digest of every CA certificate and only come to around 56KB. (Or just use a 1800-bit bitmap!) If we choose to cover EE certificates (as CRLSets do), then we will have to impose a size limit. In some initial experiments in representing CRLs with Golomb compressed encoding, we've been able to get down to roughly N bits per entry for 2^-N false positive rate. Since we'll still have OCSP as a fall-back, we can tolerate a high failure rate, maybe as high as 0.5% (2^-9). At that rate, a 250KB limit would fit around 220,000 CRL entries. So we would need to do some experimentation to see how that capacity compares to the size of CRLs in the wild. --Richard > > On 01/08/14 03:07, Richard Barnes wrote: >> Hi all, >> >> We in the Mozilla PKI team have been discussing ways to improve revocation >> checking in our PKI stack, consolidating a bunch of ideas from earlier work >> [1][2] and some maybe-new-ish ideas. I've just pressed "save" on a new wiki >> page with our initial plan: >> >> https://wiki.mozilla.org/CA:RevocationPlan >> >> It would be really helpful if people could review and provide feedback on >> this plan. >> >> There's one major open issue highlighted in the wiki page. We're planning >> to adopt a centralized revocation list model for CA certificates, which >> we're calling OneCRL. (Conceptually similar to Chrome's CRLsets.) In >> addition to covering CA certifcates, we're also considering covering some >> end-entity (EE) certificates with OneCRL too. But there are some drawbacks >> to this approach, so it's not certain that we will include this in the final >> plan. Feedback on this point would be especially valuable. >> >> Thanks a lot, >> --Richard >> >> [1] https://wiki.mozilla.org/CA:ImprovingRevocation >> [2] https://www.imperialviolet.org/2012/02/05/crlsets.html > > -- > Rob Stradling > Senior Research & Development Scientist > COMODO - Creating Trust Online _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
