Post on 19-Jan-2016
description
September 10, 1998
CRL ModelingCRL ModelingCRL ModelingCRL Modeling
David A. Cooper
NIST
September 10, 1998 2
RepositoriesRepositories
Goal of work is to examine effect of different CRL schemes on repositories.
Assumption: The main concern is to minimize the peak load on a repository. Allows use of least expensive
repository; or maximizes number of relying parties
that can be serviced.
September 10, 1998 3
Request RatesRequest Rates n = Number of relying parties: 300,000 v = validation rate: 10 certificates/relying party/day u = Revocation updates: 1 update/day s = number of segments t = amount of time since last CRL update
request rate per segment= (n v / s) e-v t / s
peak request rate = n v
September 10, 1998 4
Request Rate (Unsegmented CRL)
0
5
10
15
20
25
30
35
0 3 6 9 12 15 18 21 24
time (hours)
req
ues
ts/s
eco
nd
September 10, 1998 5
Request Rate (2 CRL Segments)
0
5
10
15
20
25
30
35
0 3 6 9 12 15 18 21 24
time (hours)
req
ues
ts/s
eco
nd
September 10, 1998 6
Request Rate (50 CRL Segments)
0
5
10
15
20
25
30
35
0 3 6 9 12 15 18 21 24
time (hours)
req
ues
ts/s
eco
nd
September 10, 1998 7
Staggered CRL IssuanceStaggered CRL Issuance
CRL segments don’t have to be issued simultaneously
2 CRL segments issued at 12 hour intervals leads to lower peak request rate
request rate (for 2 CRL segments) =
(n v / s) (e-v t / s + e-v(t+12) / s )
September 10, 1998 8
Request Rate (2 CRL Segments- Staggered Issuance)
0
5
10
15
20
25
30
35
0 3 6 9 12 15 18 21 24
time (hours)
req
ues
ts/s
eco
nd
September 10, 1998 9
Request Rate (3 CRL Segments - Staggered Issuance)
0
5
10
15
20
25
30
35
0 3 6 9 12 15 18 21 24
time (hours)
req
ues
ts/s
eco
nd
September 10, 1998 10
Request Rate (50 CRL Segments- Staggered Issuance)
0
5
10
15
20
25
30
35
0 3 6 9 12 15 18 21 24
time (hours)
req
ues
ts/s
eco
nd
September 10, 1998 11
Service RateService Rate Larger CRL segments may reduce request
rate, but may also reduce service rate. If = request rate and = service rate:
average waiting time 1 / ( Service time increases linearly with CRL
segment size =
Header + (# entries)(per entry cost) Less segmentation better when fixed cost
dominates.
September 10, 1998 12
Optimal Segmentation (1 day)
0
5
10
15
20
25
30
35
40
0 5 10 15 20 25 30 35 40 45 50
size dependent (ms)
nu
mb
er o
f se
gm
ents
September 10, 1998 13
Optimal Segmentation (10 minutes)
0
200
400
600
800
1000
0 0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8
size dependent (ms)
nu
mb
er o
f se
gm
ents
September 10, 1998 14
Over-issued CRLsOver-issued CRLs
Issue full CRLs more than once per day
Make each CRL valid for one day Improves use of caches Spreads out CRL requests
0 2412 36 48
September 10, 1998 15
Over-Issued CRLs
0
5
10
15
20
25
30
35
0 10 20 30 40 50 60 70 80 90 100
number of CRLs issued per day
pea
k re
qu
est
rate
(re
qu
ests
/sec
on
d)
September 10, 1998 16
QuestionsQuestions What are the most important parameters?
Mean waiting time per request? (peak or average)
Mean total waiting time? (i.e., average total waiting time per relying party per day)
Peak bandwidth requirements? Average bandwidth requirements? Cache size? Others?