Kamfanin Mozilla game da farkon gwaji a cikin dare na gina Firefox sabon tsari don gano takaddun shaida da aka soke - . CRLite yana ba ku damar tsara ingantaccen binciken soke takardar shedar akan bayanan da aka shirya akan tsarin mai amfani. Mozilla's CRLite aiwatarwa ƙarƙashin lasisin MPL 2.0 kyauta. An rubuta lambar don samar da bayanai da abubuwan haɗin uwar garken a ciki da Go. Sassan abokin ciniki da aka ƙara zuwa Firefox don karanta bayanai daga bayanan bayanai a cikin harshen Rust.
Tabbatar da takaddun shaida ta amfani da sabis na waje dangane da ƙa'idar da har yanzu ake amfani da ita (Ka'idar Matsayin Takaddun Shaida ta kan layi) yana buƙatar samun damar hanyar sadarwa mai garanti, yana haifar da babban jinkiri a cikin aiwatar da buƙata (350ms akan matsakaita) kuma yana da matsaloli tare da tabbatar da sirri (sabar OCSP da ke amsa buƙatun suna karɓar bayanai game da takamaiman takaddun shaida, waɗanda za a iya amfani da su don yanke hukunci ko menene. shafukan da mai amfani ya buɗe). Hakanan akwai yuwuwar bincika gida akan lissafin (Certificate Revocation List), amma rashin amfanin wannan hanya shine girman girman bayanan da aka sauke - a halin yanzu ma'aunin bayanan da aka soke yana da kusan 300 MB kuma yana ci gaba da girma.
Don toshe takaddun shaida waɗanda hukumomin ba da takaddun shaida suka lalata kuma suka soke, Firefox ta yi amfani da jerin baƙar fata tun 2015. a hade tare da kira zuwa sabis don gano yiwuwar munanan ayyuka. OneCRL, kamar a cikin Chrome, yana aiki azaman hanyar haɗin yanar gizo mai tsaka-tsaki wanda ke tattara lissafin CRL daga hukumomin ba da takaddun shaida kuma yana ba da sabis na OCSP guda ɗaya na tsakiya don duba takaddun shaida da aka soke, yana ba da damar kada a aika buƙatun kai tsaye zuwa hukumomin takaddun shaida. Duk da aiki da yawa don inganta amincin sabis na tabbatar da takardar shedar kan layi, bayanan telemetry sun nuna cewa sama da 7% na buƙatun OCSP sun ƙare ('yan shekarun da suka gabata wannan adadi ya kasance 15%).
Ta hanyar tsoho, idan ba zai yiwu a iya tabbatarwa ta hanyar OCSP ba, mai binciken yana ɗaukar takaddun shaida yana aiki. Sabis ɗin na iya zama babu shi saboda matsalolin cibiyar sadarwa da ƙuntatawa kan cibiyoyin sadarwa na ciki, ko kuma masu kai hari sun toshe shi - don ketare rajistan OCSP yayin harin MITM, kawai toshe damar zuwa sabis ɗin rajistan. A wani ɓangare don hana irin waɗannan hare-haren, an aiwatar da wata dabara , wanda ke ba ku damar magance kuskuren samun damar OCSP ko rashin samun OCSP a matsayin matsala tare da takaddun shaida, amma wannan fasalin zaɓin zaɓi ne kuma yana buƙatar rajista na musamman na takaddun shaida.
CRLite yana ba ku damar haɗa cikakkun bayanai game da duk takaddun shaida da aka soke zuwa tsarin sabuntawa cikin sauƙi, girman 1 MB kawai, wanda ke ba da damar adana cikakken bayanan CRL a gefen abokin ciniki.
Mai lilo zai iya daidaita kwafin bayanansa game da takaddun shedar da aka soke kowace rana, kuma wannan ma'aunin bayanai zai kasance a ƙarƙashin kowane yanayi.
CRLite yana haɗa bayanai daga , bayanan jama'a na duk takaddun shaida da aka bayar da sokewa, da sakamakon takaddun shaida akan Intanet (ana tattara jerin sunayen hukumomin takaddun shaida na CRL daban-daban kuma ana tattara bayanai game da duk sanannun takaddun shaida). Ana tattara bayanai ta amfani da cascading , wani tsari mai yuwuwa wanda ke ba da izinin gano ƙarya na wani abu da ya ɓace, amma ya keɓance watsi da abubuwan da ke akwai (watau, tare da wasu yuwuwar, tabbataccen ƙarya ga ingantaccen takaddun shaida yana yiwuwa, amma takaddun shaida da aka soke suna da tabbacin ganowa).
Don kawar da halayen karya, CRLite ta gabatar da ƙarin matakan tacewa. Bayan samar da tsarin, ana bincika duk bayanan tushen kuma an gano duk wani tabbataccen gaskiya. Dangane da sakamakon wannan cak, an ƙirƙiri ƙarin tsari, wanda aka jera akan na farko kuma yana gyara sakamakon karya. Ana maimaita aikin har sai an kawar da bayanan karya yayin duban sarrafawa gaba daya. Yawanci, ƙirƙirar yadudduka 7-10 ya wadatar don rufe dukkan bayanai gaba ɗaya. Tunda yanayin ma'ajin bayanai, saboda aiki tare na lokaci-lokaci, yana ɗan ɗan baya bayan yanayin CRL na yanzu, duba sabbin takaddun shaida da aka bayar bayan sabuntawar ƙarshe na bayanan CRLite ana aiwatar da shi ta amfani da ka'idar OCSP, gami da amfani da (amsar OCSP da aka ba da izini ta hanyar takaddun shaida ana watsa shi ta hanyar uwar garken da ke hidimar rukunin yanar gizon lokacin yin shawarwarin haɗin TLS).
Yin amfani da matatun Bloom, yanki na Disamba na bayanai daga WebPKI, wanda ke rufe takaddun aiki miliyan 100 da takaddun shaida dubu 750 da aka soke, an sami damar tattarawa cikin tsari mai girman 1.3 MB. Tsarin samar da tsarin yana da matukar amfani da albarkatu, amma ana yin shi akan sabar Mozilla kuma ana ba mai amfani sabuntawar shirye-shiryen. Misali, a cikin nau'i na binary, bayanan tushen da aka yi amfani da su yayin tsarawa yana buƙatar kusan 16 GB na ƙwaƙwalwar ajiya lokacin da aka adana su a cikin Redis DBMS, kuma a cikin sigar hexadecimal, jujjuya duk jerin lambobin takaddun shaida yana ɗaukar kusan 6.7 GB. Tsarin tattara duk takaddun shedar da aka soke da aiki yana ɗaukar kusan mintuna 40, kuma tsarin samar da tsarin da aka tattara akan na'urar tace Bloom yana ɗaukar ƙarin mintuna 20.
Mozilla a halin yanzu tana tabbatar da cewa an sabunta bayanan CRLite sau hudu a rana (ba duk sabuntawa ana isar da su ga abokan ciniki ba). Har yanzu ba a aiwatar da haɓakar sabuntar delta ba - amfani da bsdiff4, wanda aka yi amfani da shi don ƙirƙirar ɗaukakawar delta don sakewa, baya samar da ingantaccen inganci ga CRLite kuma sabuntawar sun yi girma mara hankali. Don kawar da wannan koma baya, an shirya sake yin aiki da tsarin tsarin ajiya don kawar da sake ginawa da kuma sharewar da ba dole ba.
A halin yanzu CRLite yana aiki a Firefox a cikin yanayin da ba a so kuma ana amfani dashi a layi daya tare da OCSP don tara ƙididdiga game da ingantaccen aiki. Ana iya canza CRLite zuwa babban yanayin dubawa; don yin wannan, kuna buƙatar saita siginar tsaro.pki.crlite_mode = 2 a cikin game da: config.
source: budenet.ru