Greetings, * Kyotaro Horiguchi (horikyota....@gmail.com) wrote: > At Mon, 03 Aug 2020 16:20:40 +0900 (JST), Kyotaro Horiguchi > <horikyota....@gmail.com> wrote in > > Thanks for the opinion. I'll continue working on this. > > This is it, but..
Thanks! > Looking closer I realized that certificates are verified in each > backend so CRL cache doesn't work at all for the hashed directory > method. Therefore, all CRL files relevant to a certificate to be > verfied are loaded every time a backend starts. > > The only advantage of this is avoiding irrelevant CRLs from being > loaded in exchange of loading relevant CRLs at every session > start. Session startup gets slower by many delta CRLs from the same > CA. > > Seems far from promising. I agree that it's not ideal, but I don't know that this is a reason to not move forward with this feature..? We could certainly have a later patch which improves this in some way (though exactly how isn't clear... if we move the CRL loading into postmaster then we'd have to load *all* of them, and then we'd still need to check if they've changed since we loaded them, and presumably have some way to signal the postmaster to update its set from time to time..), but that can be a future effort. I took a quick look through the patch and it seemed pretty straight forward to me and a good improvement. Would love to hear other thoughts. I hope you'll submit this for the September CF and ping me when you do and I'll see if I can get it committed. Thanks! Stephen
signature.asc
Description: PGP signature
