Closed dadrian closed 7 years ago
This is likely solvable with some sort of caching.
For further context, "current validation approach" means a priori determine all possible intermediates for a given root store, and then set the intermediate pool to that. This provides a brute-force approach to transvalidity, and allows certificates to be validated without knowledge of the chain.
For the record this is 1000 certificates/second.
Turns out nanoseconds are not microseconds, this seems fast enough for now.
In these benchmarks,
WithIntermediates
means with the set of 1.5K intermediates trusted by NSS ~May 2015, andWithChain
means with the intermediates pool set to the chain served by a website (e.g. the one intermediate that matters).RawX509
isgithub.com/zmap/zcrypto/x509
,Verify
isgithub.com/zmap/zcrypto/verifier
, andGolangX509
iscrypto/x509
.This suggests our current validation approach may be too slow for live certificate validation, and is also not appropriate for finding the set of trusted intermediates in Censys given the set of possible intermediates and a root store.