[caops-wg] OCSP validation performance in Grid environments
Jesus Luna
jluna at ac.upc.edu
Fri Oct 28 05:38:14 CDT 2005
Hello again (one more time!),
Even though we are still in the process of formally publishing this
info, we would like to comment about the results obtained at this date
with OGRO+Grid Validation Policy+GT4. Maybe some of them could be
interesting for the "OCSP Requirements for Grids" document.
We have measured the time elapsed in validating through OCSP (OGRO) a
Proxy Certificate Path i) at the client-side when the user creates it
by executing "grid-proxy-init" and, ii) at the server-side when the
GT4's WSRF Container receives a Grid Service invokation (CounterService)
through the secure message mechanism. In both cases we were using
different Grid Validation Policies to understand the overhead introduced
when customizing parameters like use of digital signatures, nonces,
HTTP/HTTPS, fault tolerance, etc.
In most of the cases the results showed that the decision to protect the
OCSP Request with digital signatures, nonce and HTTPS introduces an
overhead which is practically non-existent when compared with the
overhead of communicating with the OCSP Responder itself.
To aliviate such overhead we have implemented a mechanism called
pre-validation, which embeds the OCSP Response as a Proxy Certificate
extension when such credential is being created by the client. When the
server needs to validate such data, it merely needs to extract the
pre-validation data from the Proxy and procced with the usual OCSP
verification process. In our tests we have measured elapsed times 30%
lower than those obtained with "traditional" OCSP validation at the
server (WSRF Container).
Hope this information may be useful for the document.
Best regards (finally!),
Oscar & Jesus
More information about the caops-wg
mailing list