Home » Performance WG Issue Tracker

Performance WG Issue Tracker

PriorityWork ItemDescriptionSub-issuesSecurity Considerations
1Certificate chain lengthIdeally, servers would only have to transmit two certificate to the client - the end-entity and one intermediate. In practice, chains are often much longer1. Should browsers follow AIA extension for intermediates?
2. Why do some servers deliver root in handshake?
3. CA's needs for multiple levels of intermediate certs
4. Reasons for cross-signing roots
5. Contribute to TLS Cached Info draft - http://tools.ietf.org/html/draft-ietf-tls-cached-info-16
2OCSP Stapling, multi-stapling, and must-staple adoption Effort to make multi-stapling work better in terms of latency 1. advocating larger initial congestion window
2. TLS compression
3. caching
Some form of certificate status checking is required.
3Recommend number of SCTs required in a certificate in different circumstancesPolicy recommendations to minimize the impact of certificate transparency on SSL performance1. Recommend number of SCTs included in certificate
2. Recommend optimal server configuration for delivering SCTs via OCSP stapling or TLS extension.
Certificates must be registered with enough logs that any one log can fail without impacting any certificates.
4Proposals to IETF for certificate compression Develop new IETF internet drafts for compression of certificate and stapled revocation information in the TLS handshake.
5Certificate contents - optimizing key size and certificate encoding considerations Optimization of the types of keys and encoding of data in certificate fields to minimize the size of the certificate.1. Recommendations for preferred algorithms.
2. Recommendations for preferred key size.
3. Minimizing overhead of encoding data in certificate fields
Balance key length strength versus size.
6Document methods for measuring SSL performance / develop or recommend performance measurement toolsHow should SSL performance be measured, and what tools can be used?1. What information in the Qualys test are relevant?
2. What other tools are useful? OpenSSL? WebPageTest?
futuremax certificate size
futureRecommendation for minimizing OCSP response size (when to use delegated signing)
futureRecommendations for how client software should process certificates with minimum overhead
futureCertificate contents - removing technically unnecessary fields
futureShort-lived certificate support
futureRecommendations for non-blocking delivery of revocation information (CRLSets)
futureRecommendations for server software and server admins regarding TCP minimum congestion window and TLS record size