-
Notifications
You must be signed in to change notification settings - Fork 50
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
CRL optimization: verify CRL signatures once, up-front. #81
Comments
This was referenced Jun 13, 2023
Closed
A suggestion from @djc in review of other work:
|
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
In #66 we've staged support for using Certificate Revocation Lists (CRLs) to make revocation decisions during path building.
The code in that branch performs CRL signature verification as part of verifying the signatures on the end-entity to trust anchor path that was found from path building: https://github.com/rustls/webpki/blob/8425fa3f54ab7a8790a572023910e5bc850f55cc/src/verify_cert.rs#L219C10-L222
This was done for two a few reasons:
It will take some care to be able to meet this requirement outside the context of building and verifying the path used to validate an end entity certificate.
However, since signature validation is expensive and CRLs are loaded infrequently but consulted for revoked certificates frequently it would be a nice optimization if we could perform signature validation once-up front instead of per-access.
The text was updated successfully, but these errors were encountered: