Re: [Fed-Talk] Memory usage spikes when viewing Signed Emails
Re: [Fed-Talk] Memory usage spikes when viewing Signed Emails
- Subject: Re: [Fed-Talk] Memory usage spikes when viewing Signed Emails
- From: "Shawn A. Geddis" <email@hidden>
- Date: Tue, 28 Aug 2007 19:18:45 -0400
Alan,
That is a true statement if the Certificate has a URI for an OCSP
Request (AIAExtension), but for ALL of DoD using the CAC, they were
issued only with URIs for CRLs (CRLDistribution Points).
Note:
The 'ocspd' process handles both CRL & OCSP.
-Shawn
On Aug 28, 2007, at 6:46 PM, Alan B Stepakoff wrote:
My understanding of the OCSP protocol is to avoid loading a massive
CRL. Instead it queries the individual certificate to see if it is
revoked.
Alan Stepakoff
At 5:43 PM -0500 8/28/07, Paul Nelson wrote:
The ocspd daemon is probably be loading a CRL needed to verify a
signature.
It gets the CRL uri from the cert. If the cert is issued by one of
the
standard DoD intermediate CA servers, the CRL could be quite
large. Also,
the DISA CRL servers are notoriously slow. It might take at least 30
seconds to get the CRL. However, once the CRL is loaded, it will
be cached
until it expires.
You can use certtool to look at your CRL cache:
certtool y k=/var/db/crls/crlcache.db
You can use crlrefresh to flush the cache:
crlrefresh r
As for the GUI spinning, Apple does not have API for validating a
cert in a
threaded manner. The app writer must do that themselves.
Paul Nelson
Thursby Software Systems, Inc.
on 8/28/07 5:29 PM, Alan B Stepakoff at
email@hidden wrote:
OCSP is the process for checking whether an x.509 certificate has
been revoked or not.
The system must be loading an OCSP daemon when checking the
signature cert.
Alan Stepakoff
At 5:57 PM -0400 8/28/07, Mike Jackson wrote:
That email from Shawn today with the subject "Re: [Fed-Talk] Mac
Ownership & Permissions (UNCLASSIFIED)". Anything from Tim Miller
(Sorry Tim.. ;-) ) and a few others. This is with Apple Mail on
10.4.10. Nothing else is special about the system unless you count
all the developer stuff from Apple that has been installed.
Ok. I did some digging and using those superpowers that Activity
Monitor grants me, the culprit seems to be 'ocspd', which when I
tried to view a signed email that was on this list a few days ago,
the memory spiked to 800MB and locked up the GUI for about 30
seconds. Is this normal?
--
Mike Jackson Senior Research Engineer
Innovative Management & Technology Services
On Aug 28, 2007, at 5:46 PM, Bill Wagner wrote:
That really can't be answered without knowing more information:
1. How big are the e-mails and/or the data contained in them?
2. Are the e-mails self signed or are they checked against a
public key?
3. Is this custom software as in that provided in a package
developed
for you or is it off the shelf with no modification.
4. Is this happening on all signed e-mails or just some of them?
5. Do you know what type of signing algorithms are being used?
If they're simple text e-mails and everything is off the shelf, I
would think you might want to assume this is some type of OS bug.
If the e-mails contain data such as images or reports of any type,
then it means the e-mail and every byte of data in the included
documents or images is likely being hashed through a signing
algorithm to check its validity. This can be pretty memory and CPU
intensive, but I have to admit unless this is being done to
mega-documents or mega-images, eating up 700M sounds pretty
inefficient.
I would need more information to even hazard a guess.
Bill Wagner
http://www.scsc-online.com
inefficient.Mike Jackson wrote:
Why does my computer (Mac Book Pro, 2GB Ram, 160GB Drive) seem to
lock up and the memory usage spike ( to about 700MB) every time I
try to view a signed email? This is getting to the point where I
am about to put a filter to just delete anything from those
people I know sign their emails.. just getting frustrating.
This is with OS X 10.4.10. There is always lots of Ram available
when this happens as I monitor it with a utility constantly. The
same thing happens with Safari when I log into the US Air Force
>>>> Web Mail site with my CAC.
Thanks for any help.
--
Mike Jackson
imikejackson & gmail * com
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
ov
This email sent to email@hidden
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden
Attachment:
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden