Re: Question about time to generate certs

On 4 September 2015 at 09:33, Cullen Jennings (fluffy) <fluffy@cisco.com> wrote:
> The spec says that a set of certs are generated for each new PC (if the certs are not provided). How many certs will likely be in this set in the future? Does anyone have rough measurements of how long this takes on slow mobile phone?

The set of certs that Firefox generates is of size 1.  That is
unlikely to change in the near term, though it might be the case that
we want to do the new CFRG curves when those are more widely deployed,
increasing this to 2.

The data that I have on generation times is based on the numbers on
http://bench.cr.yp.to/results-sign.html  I haven't run tests on an
array of machines, but overheads should dominate key generation for
anything but the slowest machines... unless you want RSA.

Based on the benchmark numbers for ecdonaldp256 (P-256) on a
relatively powerful, but ~4 year-old arm CPU [12][4], P-256 key
generation takes around 2ms.  The overhead involved with loading all
the webrtc code is probably higher than that.

ronald2048 (RSA) takes somewhere between 1 and 2 seconds, though the
actual numbers aren't stable.  Don't use RSA on crappy phones.

Note that you can (and likely should) cache certificates for these,
especially if you are using RSA.

[12] Identified as armeabi; Cortex-A15 (410fc0f4); 2012 Samsung Exynos
5 Dual; 2 x 1700MHz
[4] I reject your linear footnote hypothesis

Received on Friday, 4 September 2015 17:58:15 UTC