Jean-Marc Desperrier wrote:
But the interesting part is that the crl that generated so much trouble is only 7 652 byte large.
The part where it becomes truly interesting is that when I test a sample OCSP status request on ocsp.openvalidation.org, the size of the answer is 2 937 byte. That only a 2.6 gain ratio.
They are some situations where OCSP is clearly more favorized.
If you download everyday the full 700 Kb SSL server cert crl, and in fact only connect to two or three SSL server in the day, or sometimes none, OCSP is clearly a big gain.
Consider that (at least in the USA) most users are still on 56 kbits/s dialup modems, which typically peak well below 7 KBytes/second, so a 70 KB CRL adds 10 seconds to the download time of a page.
I have 4 CRLs that I've loaded and that mozilla periodically updates for me. Their sizes, at the moment, are 16 KB 151 KB 339 KB 511 KB
and if we assume 6 KB/s those are ~ 2.5, 25, 56, and 85 second downloads respectively.
Clearly OCSP isn't a big win with CRL sizes below 16KB, but above 16 KB it starts to be a winner.
Now, perhaps we could put up a nice screen saying "please wait while we update your CRLs", to make users feel a little better about those long CRL downloads, but is that the right direction?
-- Nelson B _______________________________________________ mozilla-crypto mailing list [email protected] http://mail.mozilla.org/listinfo/mozilla-crypto
