CAcert Code Development list.

[Wytze van der Raay <wytze AT cacert.org>]

Hi Michael,

Op 24-12-2011 21:11, Michael Tänzer schreef:
> ... 
> The caching algorithm:
> The master server sends a signed response for all valid certs to all
> known slaves every 24 hours. To spread the load the certs should not be
> signed all at once just when the master is started but spread throughout
> the day. When the master server fails, the slaves can answer all
> requests for valid certs with the pre-signed response, requests for
> certs where the status are unknown may be responded with a protocol
> failure (not nice, but not worse than if the only OCSP server was down).
> 
> We currently have 82,807 valid certs in the system. For every valid cert
> we need to sign one response per 24 hours. Divided by 24 hours * 60
> Minutes this means that the OCSP server needs to sign ~58 responses per
> minute.

Thanks for detailing the calculation, now I understand what you are
proposing. While this would run fine with the current numbers, I'd
be extremely cautious with deploying a solution like that for real,
since it's utterly non-scalable. If CAcert happens to become a big hit
some time sooner or later, our OCSP system will fall down to pieces,
as it'll be pushing out signed responses continuously.
Anyway, this discussion is pretty academic for now, since we don't have
any software to implement such a caching scheme either.

Regards,
-- wytze

Attachment: smime.p7s
Description: S/MIME cryptografische ondertekening