aarongable
commented
3 years ago The first step here is analysis. We have two tradeoffs: 1) On the one hand, hex-encoding allows for grepping for certain DER substrings, but we haven't used that ability often (or maybe ever) 2) On the other hand, base64-encoding saves bytes.
The former is hard to quantify, but the latter is straightforward. The first step here should be an analysis that identifies where we use hex-encoding in our logs, how large those hex-encoded objects are (on average, total per day, something like that), and how many bytes we would save by base64 encoding instead.
In #2131, we switched from base64 to hex logging for CSRs. That's because some clients exhibited an odd bug in CSR generation that was easily greppable from the hex-encoded CSR structure. We do the same with certificates, in the belief that we may someday want to do processing on log lines without decoding base64 for each line, just looking for specific substrings in hex. However, we haven't had to do that since 2016, and we can save some logging bytes by using base64.
This will require some tweaks to orphan-finder to recognize the new format.