On 04/10/16 19:39, Peter Bowen wrote: > On Tue, Oct 4, 2016 at 6:29 AM, Rob Stradling <[email protected]> > wrote: >> On 04/10/16 13:18, Nick Lamb wrote: >>> On Tuesday, 4 October 2016 11:14:01 UTC+1, Rob Stradling wrote: >>>> Neither. I'd like to run cablint over all certs pre-issuance, but >>>> unfortunately it's not practical to do this yet because 1) cablint is >>>> too slow and 2) there are some differences of opinion that have been >>>> discussed at CABForum but not yet resolved. >>> >>> Can you expand on what "too slow" would mean here? Or does it tread too >>> much on specific commercial performance criteria you don't want to talk >>> about? >> >> Running cablint means firing up the Ruby interpreter, then fork/exec'ing >> a separate executable umpteen times. IIRC, last time I checked, crt.sh >> was only managing to cablint ~10 certs per second. (Prior to that, >> before I'd figured out a way to avoid having to take the "firing up the >> Ruby interpreter" hit again and again for every single cert, it was only >> managing to cablint ~3 certs per second). > > cablint could be much faster if the asn1 code could be moved in > process. Doing so requires someone who can work in C and has some > experience building Ruby extensions. This change would avoid the many > many fork/exec calls during a single certificate lint. > > If anyone is willing to volunteer, I can provide more detail.
Woo! Matt Palmer accepted the challenge... https://github.com/awslabs/certlint/pull/38 -- Rob Stradling Senior Research & Development Scientist COMODO - Creating Trust Online _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
