On 08/14/09 08:08 AM, johansen at sun.com wrote: > [Originally sent this to Darren, but forgot to CC PSARC-ext] > > Hi Darren, > > I got forwarded a pointer to this case that you filed. Thanks for > taking the time to do this. > > >> http://sac.eng/Archives/CaseLog/arc/PSARC/2009/430/20090811_darren.moffat >> > I would recommend using the certificate directory approach instead of > creating a single file with all certificates. > > The directory allows us to use a single PEM file per-certificate instead > of having a huge PEM blob. The single PEM file consumes more memory, > since the whole blob gets loaded into memory. If the directory is used, > individual keys are loaded into memory instead. > I think one use case is to match all the certificates with the server's certificate, in the case of https connection for example. Just curious: would it be more efficient to read the certificates from one single file than from a directory containing individual keys?
Thanks, -Alfred > Delivering a single blob also has implications for package delivery. If > we use a directory, other packages can deliver certs to a common > location, if needed. The blob approach blocks multiple party certificate > delivery, and requires us to update the entire blob when one certificate > changes. It would be more elegant to add/remove the affected files from > a certficiate directory. > > Since I had to solve this problem for pkg(5), I've already written code > that can extract the certs from mozilla's nss library, or their CVS > server, and then build a directory of certs with corresponding > hash-value named symlinks. Feel free to use this code instead of > writing more from scratch. > > Thanks, > > -j
