EKR (ekr@rtfm.com)
19 Jan 1999 07:38:54 -0800
Bill Frantz <frantz@netcom.com> writes:
> If the problem is that it is slow to connect once a week when you log on to
> pay your bills, I don't think session caching with session IDs will help.
> What might help, particularly if you are verifying certificates on a
> relativity slow personal machine is what SPKI calls a certificate result
> certificate (CRC).
>
> A CRC is generated to collapse a chain of certificates. In the case of a
> browser, it could bypass many public key operations if it just saved the
> server's public key and the closest of the expiration dates in the
> certificate chain it used to verify the key. The only public key
> operations needed then would be those used to establish the session key.
I'd call this a validation cache, and I know that at least
one product (SPYRUS/Terisa) supports this (since I put it in
there.)
However, I doubt that this is a significant performance cost of
SSL. Remember that RSA public key verifcation are very fast and that
most SSL server cert chains are only a cert or two long.
-Ekr
-- [Eric Rescorla ekr@rtfm.com]
The following archive was created by hippie-mail 7.98617-22 on Sat Apr 10 1999 - 01:18:04