On Sun, Aug 13, 2017 at 5:59 PM, Matt Palmer via dev-security-policy <[email protected]> wrote: > On Fri, Aug 11, 2017 at 06:32:11PM +0200, Kurt Roeckx via dev-security-policy > wrote: >> On Fri, Aug 11, 2017 at 11:48:50AM -0400, Ryan Sleevi via >> dev-security-policy wrote: >> > >> > Could you expand on what you mean by "cablint breaks" or "won't complete in >> > a timely fashion"? That doesn't match my understanding of what it is or how >> > it's written, so perhaps I'm misunderstanding what you're proposing? >> >> My understand is that it used to be very slow for crt.sh, but >> that something was done to speed it up. I don't know if that change >> was something crt.sh specific. I think it was changed to not >> always restart, but have a process that checks multiple >> certificates. > > I suspect you're referring to the problem of certlint calling out to an > external program to do ASN.1 validation, which was fixed in > https://github.com/awslabs/certlint/pull/38. I believe the feedback from > Rob was that it did, indeed, do Very Good Things to certlint performance.
I just benchmarked the current cablint code, using 2000 certs from CT as a sample. On a single thread of a Intel(R) Xeon(R) CPU E5-2670 v2 @ 2.50GHz, it processes 394.5 certificates per second. This is 2.53ms per certificate or 1.4 million certificates per hour. Thank you Matt for that patch! This was a _massive_ improvement over the old design. Thanks, Peter _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
