letsencrypt / boulder

An ACME-based certificate authority, written in Go.
Mozilla Public License 2.0
5.21k stars 607 forks source link

Consider switching to base64 encoding for certificates and CSRs #5135

Open jsha opened 4 years ago

jsha commented 4 years ago

In #2131, we switched from base64 to hex logging for CSRs. That's because some clients exhibited an odd bug in CSR generation that was easily greppable from the hex-encoded CSR structure. We do the same with certificates, in the belief that we may someday want to do processing on log lines without decoding base64 for each line, just looking for specific substrings in hex. However, we haven't had to do that since 2016, and we can save some logging bytes by using base64.

This will require some tweaks to orphan-finder to recognize the new format.

aarongable commented 3 years ago

The first step here is analysis. We have two tradeoffs: 1) On the one hand, hex-encoding allows for grepping for certain DER substrings, but we haven't used that ability often (or maybe ever) 2) On the other hand, base64-encoding saves bytes.

The former is hard to quantify, but the latter is straightforward. The first step here should be an analysis that identifies where we use hex-encoding in our logs, how large those hex-encoded objects are (on average, total per day, something like that), and how many bytes we would save by base64 encoding instead.