|Priority||Work Item||Description||Sub-issues||Security Considerations|
|1||Certificate chain length||Ideally, servers would only have to transmit two certificate to the client - the end-entity and one intermediate. In practice, chains are often much longer||1. Should browsers follow AIA extension for intermediates?|
2. Why do some servers deliver root in handshake?
3. CA's needs for multiple levels of intermediate certs
4. Reasons for cross-signing roots
5. Contribute to TLS Cached Info draft - http://tools.ietf.org/html/draft-ietf-tls-cached-info-16
|2||OCSP Stapling, multi-stapling, and must-staple adoption||Effort to make multi-stapling work better in terms of latency||1. advocating larger initial congestion window|
2. TLS compression
|Some form of certificate status checking is required.|
|3||Recommend number of SCTs required in a certificate in different circumstances||Policy recommendations to minimize the impact of certificate transparency on SSL performance||1. Recommend number of SCTs included in certificate|
2. Recommend optimal server configuration for delivering SCTs via OCSP stapling or TLS extension.
|Certificates must be registered with enough logs that any one log can fail without impacting any certificates.|
|4||Proposals to IETF for certificate compression||Develop new IETF internet drafts for compression of certificate and stapled revocation information in the TLS handshake.|
|5||Certificate contents - optimizing key size and certificate encoding considerations||Optimization of the types of keys and encoding of data in certificate fields to minimize the size of the certificate.||1. Recommendations for preferred algorithms.|
2. Recommendations for preferred key size.
3. Minimizing overhead of encoding data in certificate fields
|Balance key length strength versus size.|
|6||Document methods for measuring SSL performance / develop or recommend performance measurement tools||How should SSL performance be measured, and what tools can be used?||1. What information in the Qualys test are relevant?|
2. What other tools are useful? OpenSSL? WebPageTest?
|future||max certificate size|
|future||Recommendation for minimizing OCSP response size (when to use delegated signing)|
|future||Recommendations for how client software should process certificates with minimum overhead|
|future||Certificate contents - removing technically unnecessary fields|
|future||Short-lived certificate support|
|future||Recommendations for non-blocking delivery of revocation information (CRLSets)|
|future||Recommendations for server software and server admins regarding TCP minimum congestion window and TLS record size|
Home » Performance WG Issue Tracker