[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Sks-devel] ECC HTTPS certs for HKPS
|
From: |
Kristian Fiskerstrand |
|
Subject: |
Re: [Sks-devel] ECC HTTPS certs for HKPS |
|
Date: |
Mon, 03 Apr 2017 08:45:48 +0200 |
|
User-agent: |
K-9 Mail for Android |
On April 2, 2017 9:10:10 PM GMT+02:00, Pete Stephenson <address@hidden> wrote:
>
>True, but RSA-4096 is *slow*. 3072 is a bit less so (but there's no
>openssl speed option for testing it).
>
>My server, a cheap VPS at Scaleway, can only do 25.4 RSA-4096 private
>key operations per second. It can do 192 RSA-2048 operations per
>second.
>
>With ECC, it can do 2190 ECDSA P-256 signatures per second and 1430
>P-384 signatures. It can do 1190 and 382 P-256 and P-384 ECDH key
>exchanges per second, respectively.
>
>That said, it's not a huge concern at present, as during peak times my
>server only handles 3-5 TLS connections/second. Still, it seems that
>some clients are particularly heavy-use (in particular, some German
>and Finnish IP addresses using a user-agent of "okhttp/3.5.0" --
>anyone know what those are? Reverse DNS shows no particular clues:
>some are DSL/cable connections, some are public hotspots, etc.) and
>make periodic bursts of 10+ queries in a second, almost exclusively
>for keys that don't exist. This means they're opening many
>simultaneous, separate HTTPS connections with a fresh key exchange on
>each. If they ramp up the number of connections they make (or there's
>many new clients doing the same thing), this could pose scaling
>problems.
>
>In the past there's been at least one corporate mail server that
>queried the pool for each inbound email to see if the sender had a
>public key. That caused a sustained increase in queries for a while,
>but I don't see them anymore.
>
This part I find quite interesting to continue discussing,
(i) it is likely of the more relevant as to whether to go ecc route.
(ii) might raise question of need for setting minimum criteria for servers to
be added to hkps pool etc.
(iii) changes to usage patterns and preparation for more traffic
As for (iii) we might be able to meet by adding more servers to hkps pool to
get more distribution of load in addition to (ii) and (i) , but curious if
others have identified interesting behavior from certain clients.
As for gateway solutions , as far as I'm aware at least Symantec Encryption
Server (former PGP Universal) only check LDAP (and not that either by default),
but peripdic keyyring refreshes etc is natural behavior/usage anyways.
--
----------------------------
Kristian Fiskerstrand
Blog: https://blog.sumptuouscapital.com
Twitter: @krifisk
----------------------------
Public OpenPGP certificate at hkp://pool.sks-keyservers.net
fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3
- Re: [Sks-devel] ECC HTTPS certs for HKPS, Daniel Kahn Gillmor, 2017/04/01
- Re: [Sks-devel] ECC HTTPS certs for HKPS, Pete Stephenson, 2017/04/01
- Re: [Sks-devel] ECC HTTPS certs for HKPS, Phil Pennock, 2017/04/02
- Re: [Sks-devel] ECC HTTPS certs for HKPS, Kristian Fiskerstrand, 2017/04/02
- Re: [Sks-devel] ECC HTTPS certs for HKPS, Pete Stephenson, 2017/04/02
- Re: [Sks-devel] ECC HTTPS certs for HKPS, Kristian Fiskerstrand, 2017/04/02
- Re: [Sks-devel] ECC HTTPS certs for HKPS, Pete Stephenson, 2017/04/02
- Re: [Sks-devel] ECC HTTPS certs for HKPS,
Kristian Fiskerstrand <=
- Re: [Sks-devel] ECC HTTPS certs for HKPS, Pete Stephenson, 2017/04/03
- Re: [Sks-devel] ECC HTTPS certs for HKPS, Kristian Fiskerstrand, 2017/04/03
- Re: [Sks-devel] ECC HTTPS certs for HKPS, Phil Pennock, 2017/04/02