CAcert Code Development list.

[Karl-Heinz Gödderz <Devel AT GuKK-Online.de>]

Hi Dirk,

I created a second version of the script, that replaces the old version
of the index.txt-file by the file that contains the records to be kept.

but there I need help with the command to stop and start the signer demon. 


Am 12.06.2018 um 13:28 schrieb dirk astrath:
> Hello,
>
> In the last days we did some changes on our testserver to reduce the
> size of the Certificate Revocation List:
>
> https://bugs.cacert.org/view.php?id=1306
>
> Up to June 2018 of the CRL contained all certificates, which had been
> revoked since the time the CA was started.
>
> On our testserver we now removed all certificates from the CRL, which
> expired more than 100 days ago.
>
> How is this done?
>
> All certificates created by a CA (in this case the testserver-CA) are
> listed in a textfile. A script will use this textfile to list all
> revoked Certificates and create a CRL.
>
> Now this script was used to create a new set of textfiles by stripping
> older certifcates.
>
> This reduced the size of the CRLs on our testserver from >300k to less
> than 1k. As the size of the CRL on the productive system
> (www.cacert.org) is much bigger, we expect a similar change there.
>
> For a test this script was executed only once on our testserver ...
> there are plans to execute this script every time a new set of CRLs will
> be created (or by script once a week/month/... ).
>
> And ... there is the idea to create "stripped" CRLs accessible using the
> official link while the complete CRLs (as we have them today) are not
> accessible or accessible using another link you can then find in our wiki.
>
> Up to now there is no final decision (and therefore no final coding)
> done for this bug.
>
> Feel free to leave your comments here so this issue/bug can be closed soon.
>
> Many thanks ...
>
> Kind regards,
>
> dirk
> CAcert Software
>

Attachment: signature.asc
Description: OpenPGP digital signature