Uh, what? “Elliptic Curve Digital Signature (ECDSA) is the new kid on the block and makes for much smaller key sizes but isn’t quite as performance friendly or compatible as the old standby RSA.”https://aws.amazon.com/blogs/aws/aws-certificate-manager-launches-private-certificate-authority/ …
-
-
Replying to @grittygrease
We probably over-simplified that blog post. It's being updated, but here's where it came from, for those interested in the minutia: key size and compatibility are uncontroversial, the perf story is harder. Basically: ECDSA saves CPU/time on the server side, but not the client ..
2 replies 1 retweet 5 likes -
Replying to @colmmacc @grittygrease
Here's "openssl speed" for a simple example, ECDSA Vs RSA for verify. In wall-clock time: we've measured about an 80 microsecond hit. Keep in mind that ACM Private CA is for client certificates.pic.twitter.com/UVT97hMRlN
3 replies 1 retweet 3 likes -
Replying to @colmmacc @grittygrease
Our EC2 network RTTs are in tens of micros too, so it can show up. Moral of the story: ECDSA can slow things down end-to-end. But probably too nuanced a take for a launch blog post.
2 replies 0 retweets 2 likes -
Replying to @colmmacc
Every handshake has a sign and a verify. RSA sign+verify: 0.00217+0.00005=0.00222s ECDSA sign+verify: 0.0002+0.0007=0.0009s Maybe what you're trying to say is this: - we're optimizing for *server* CPU - the server does the verify in client auth - this CA is only for client certs
1 reply 0 retweets 8 likes -
Replying to @grittygrease
Maybe too much nuance for a twitter thread too! In the case of Private CA, typically our customers are running both the servers and the clients, and we've found that ECDSA can degrade performance because verify is more expensive.
2 replies 0 retweets 2 likes -
Replying to @colmmacc @grittygrease
I would expect extensive use of session tickets and resumption if latency is that critical. Plus, have to remember multiple verifies due to CA certs
1 reply 0 retweets 0 likes
In my experience, resumption is usually not available in many of environments that deploy private CAs. It's not just latency, but also capacity and cost of resources.
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.