So the last few weeks I have spent a reasonable amount of time looking at performance and networking related problems associated with revocation repositories. I still have some additional work to do but I figured I would capture some of my findings in a quick post.
CRL repositories and IPv6
| CA | Host | Supports V6 |
| GlobalSign | crl.globalsign.com | Yes |
| Comodo | crl.comodoca.com | No/Sometimes |
| CyberTrust | sureseries-crl.cybertrust.ne.jp | No |
| Symantec/GeoTrust | EVSSL-crl.geotrust.com | No |
| Symantec/VeriSign | EVIntl-crl.verisign.com | No |
| DigiCert | crl3.digicert.com | No |
| StartSSL | crl.startssl.com | No |
| TrustWave | crl.securetrust.com | No |
| TrustCenter | crl.ix.tcclass3.tcuniversal-i.trustcenter.de | No |
| GoDaddy | crl.godaddy.com | No |
| Entrust | crl.entrust.net | No |
| Certum | crl.certum.pl | No |
* IPv6 Capability was checked via http://ipv6-test.com/validate.php
OCSP repositories and IPv6
| CA | Host | Supports V6 |
| GlobalSign | ocsp.globalsign.com | Yes |
| COMODO | ocsp.comodoca.com | No |
| GoDaddy | ocsp.godaddy.com | No |
| DigiCert | ocsp.digicert.com | No |
| StartCom | ocsp.startssl.com | No |
| TrustCenter | ocsp.tcuniversal-I.trustcenter.de | No |
| TrustWave | ocsp.trustwave.com | No |
| Enstrust | ocsp.entrust.net | No |
| Symantec/GeoTrust | ocsp.geotrust.com | No |
| Symantec/VeriSign | ocsp.verisign.com | No |
| CyberTrust | sureseries-ocsp.cybertrust.ne.jp | No |
| Certum | ocsp.certum.pl | No |
* IPv6 Capability was checked via http://ipv6-test.com/validate.php
CRL Size
| CA | CRL | Size | # Entries |
| Certum | http://crl.certum.pl/evca.crl | 862 | 7 |
| Symantec/Geotrust | http://EVSSL-crl.geotrust.com/crls/gtextvalca.crl | 720 | 12 |
| Cybertrust | http://sureseries-crl.cybertrust.ne.jp/SureServer/2021_ev/cdp.crl | 1742 | 17 |
| GlobalSign | http://crl.globalsign.com/gs/gsextendvalg2.crl | 1114 | 18 |
| TrustWave | http://crl.securetrust.com/STCA.crl | 2158 | 65 |
| StartSSL | http://crl.startssl.com/crt4-crl.crl | 2339 | 90 |
| DigiCert | http://crl3.digicert.com/evca1-g1.crl | 5393 | 100 |
| GoDaddy | http://crl.godaddy.com/gds3-37.crl | 6848 | 153 |
| Comodo | http://crl.comodoca.com/COMODOExtendedValidationSecureServerCA.crl | 12959 | 351 |
| TrustCenter | http://crl.ix.tcclass3.tcuniversal-i.trustcenter.de/crl/v2/tc_class3_L1_CA_IX.crl | 16138 | 407 |
| Entrust | http://crl.entrust.net/level1e.crl | 40995 | 1005 |
| Symantec/VeriSign | http://EVIntl-crl.verisign.com/EVIntl2006.crl | 207922 | 5972 |
| * CRL count was determined using “curl url>crl & openssl crl -in crl -inform der -text | grep -c “Serial” | |||
| * Size was determined using the Content-Length header, “curl –verbose –url *” | |||
OCSP response Size
| CA | Host | Size |
| Comodo | ocsp.comodoca.com | 471 |
| Digicert | ocsp.digicert.com | 471 |
| GlobalSign | ocsp2.globalsign.com | 1491 |
| CyberTrust | sureseries-ocsp.cybertrust.ne.jp | 1588 |
| StartSSL | ocsp.startssl.com | 1596 |
| Symantec/Verisign | ocsp.verisign.com | 1739 |
| GoDaddy | ocsp.godaddy.com | 1923 |
| Entrust | ocsp.entrust.net | 1939 |
| Certum | ocsp.certum.pl | 2113 |
| Trustwave | ocsp.trustwave.com | 2519 |
| TrustCenter | ocsp.tcuniversal-I.trustcenter.de | 3135 |
| Symantec/Geotrust | ocsp.geotrust.com | 3346 |
* Size was determined using the Content-Length header, “curl –verbose –url *”
OCSP Response Performance
| CA | Host | Average (ms) |
| GlobalSign | ocsp2.globalsign.com |
95 |
| DigiCert | ocsp.digicert.com |
156 |
| GoDaddy | ocsp.godaddy.com |
163 |
| COMODO | ocsp.comodoca.com |
202 |
| StartCom | ocsp.startssl.com |
280 |
| Enstrust | ocsp.entrust.net |
293 |
| Symantec/GeoTrust | ocsp.geotrust.com |
293 |
| Symantec/VeriSign | ocsp.verisign.com |
295 |
| TrustWave | ocsp.trustwave.com |
297 |
| TrustCenter | ocsp.tcuniversal-I.trustcenter.de |
389 |
| CyberTrust | sureseries-ocsp.cybertrust.ne.jp |
421 |
| Certum | ocsp.certum.pl |
568 |
| * Measuring with Monitis points in US-MID, US-EST-US-WST, Canada, Denmark, Netherlands, Germany, Spain, UK, Sweden, China, Austrailia, Signapore, Japan were used. |
CRL Repository Performance
| CA | Host | Average (ms) |
| GlobalSign | crl.globalsign.com | 101 |
| DigiCert | crl3.digicert.com | 102 |
| Entrust | crl.entrust.net | 120 |
| Comodo | crl.comodoca.com | 178 |
| GoDaddy | crl.godaddy.com | 186 |
| StartCom | crl.startssl.com | 267 |
| TrustWave | crl.securetrust.com | 272 |
| Symantec/GeoTrust | EVSSL-crl.geotrust.com | 298 |
| Symantec/Verisign | EVIntl-crl.verisign.com | 298 |
| TrustCenter | crl.ix.tcclass3.tcuniversal-i.trustcenter.de | 371 |
| Certum | crl.certum.pl | 426 |
| CyberTrust | sureseries-crl.cybertrust.ne.jp | 454 |
| * Measuring with Monitis points in US-MID, US-EST-US-WST, Canada, Denmark, Netherlands, Germany, Spain, UK, Sweden, China, Austrailia, Signapore, Japan were used. | ||
Kouett'
Nice job. IPv6 is a bonus.
CRL size is wrong for GlobalSign (1144 instead of 114) and for GoDaddy (remove the trailing ‘a’ in the URL to get the real one).
CRL #entries should really be counted (openssl crl … | grep -c “Serial Number:”), because CRL entry sizes vary a lot. For example GeoTrust uses 2 bytes serial numbers (sequential, which must have been prohibited since 2008 at least), while Certum uses 16bytes ones with a reason code for each entry.
Kouett'
(Why is the “website” entry mandatory for comments?)
rmhrisk
I fixed the table, copy and paste errors
As for the CRL count, I agree its just an apx, no time to fix right now.
rmhrisk
As for the website, Its the default I will look into it.
rmhrisk
Fixed the CRL counts.
techniq808
I noticed you mentioned Comodo’s CRL was available via IPv6, however I’m finding the CRLs accessibility over IPv6 very inconsistent. i noticed this when working with a PDF file signed with a client cert issued by Comodo. Several test with curl confirm the same, no failures over IPv4 (20/20) and IPv6 could only do 60% (12/20). The 60% was the best for IPv6 other test runs fared worse. Just for comparison accessing GlobalSign’s CRL over IPv6 was perfect (20/20) over multiple iterations.