Re: [pkix] Optimizing OCSP - Time for some spec work ?

Peter Gutmann <> Sat, 26 October 2019 13:27 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 1379D12009E for <>; Sat, 26 Oct 2019 06:27:29 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -4.198
X-Spam-Status: No, score=-4.198 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_NONE=0.001, SPF_NONE=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id x-vxQI9DYd4E for <>; Sat, 26 Oct 2019 06:27:27 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 1D049120024 for <>; Sat, 26 Oct 2019 06:27:26 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple;;; q=dns/txt; s=mail; t=1572096448; x=1603632448; h=from:to:subject:date:message-id:references:in-reply-to: content-transfer-encoding:mime-version; bh=+nfKCEnO6jrlM36l4rkjUuScNDMRk5XihjpGSKEVstU=; b=iovPXfB2IMmokUYABWfmre/VO1xV4hAh3eAThVC+chkn0aMKdlWquxGU zmcNsix2886dmZD9oBYpVhKiS0GqEqpatCK9RxPqWc2WRknbV246AgPAu AO9hulMWR91ZpkWwIXQhw717XGAEaKbxpwhydfSTmonHV+Xghapconnk6 Rn4NI5wOErrWYWc0xnSxM/73pczbrQyRPwRgFDCi470PZCLjsags502+6 NlZvo49X5iLzwHrdpdeWMf7ULtHgXKDiNnKREtJIOc34MJj37WB/9IZg6 hwb8QEgFZ3bPaxeOtpkAHN7vW9awtquTrJgCnagEoUGFvj37l04LkjgoI Q==;
X-IronPort-AV: E=Sophos;i="5.68,232,1569240000"; d="scan'208";a="96241060"
X-Ironport-Source: - Outgoing - Outgoing
Received: from (HELO ([]) by with ESMTP/TLS/AES256-SHA; 27 Oct 2019 02:27:25 +1300
Received: from ( by ( with Microsoft SMTP Server (TLS) id 15.0.1395.4; Sun, 27 Oct 2019 02:27:24 +1300
Received: from ([]) by ([]) with mapi id 15.00.1395.000; Sun, 27 Oct 2019 02:27:24 +1300
From: Peter Gutmann <>
To: "Dr. Pala" <>, Denis <>, "" <>
Thread-Topic: [pkix] Optimizing OCSP - Time for some spec work ?
Thread-Index: AQHVinrq4I5nEcgfh0O9xU1lviUJBKdpDfqAgAGMs/6AABLDgIACP5S4
Date: Sat, 26 Oct 2019 13:27:23 +0000
Message-ID: <>
References: <> <> <>, <>
In-Reply-To: <>
Accept-Language: en-NZ, en-GB, en-US
Content-Language: en-NZ
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: []
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: <>
Subject: Re: [pkix] Optimizing OCSP - Time for some spec work ?
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: PKIX Working Group <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Sat, 26 Oct 2019 13:27:29 -0000

Dr. Pala <> writes:

>However, I think there might be some theoretical approach we can also use to
>quantify benefits based on, at a minimum, projected size of the PKI and the
>number of revoked certificates: the lower the revocation ratio is (revoked
>certificates / total valid population), the lower the costs of pre-
>computation for the whole population is.

Right, and you could do that via simulation, or at least calculate, for
various values of X and Y, what the effects would be and at which point you
start to run into problems.  Then, if it looked feasible, you could perhaps
collect from CAs data on what real-world values of X and Y were likely to be.

>It is interesting to notice that this solution makes the costs associated
>with the revocation infrastructure to be directly correlated to the number of
>revoked certificates, instead of the number of issued certificates, thus
>shifting the paradigm quite a bit


>In case there is interest, would you like to participate in the effort ?

It sounds interesting, but I don't think I'd have time for it, sorry.