On Fri, 2004-11-26 at 08:13 -0800, Rand Wacker wrote:
william(at)elan.net wrote:
If I remember Sendmail also said that they ran their own tests and
increased cpu load on any single server due to signing all emails was
about 25%, I think this may have been with smaller 384 or 512 keys.
No, 7-8% for signing w/ a 384 bit key:
http://sendmail.net/dk-milter/benchmark/
We should probably assume that good size keys (768 at least) would mean
around 50% increase in cpu load (and to me that is acceptable number).
Actually, it appears to be the SHA1 hash that takes about 90% of the
time for the DK signature, so the message size will matter more than key
length. We're doing some tests w/ 512 and 1024 bit keys to double
check, but this would seem to hold with Port25's tests that showed IIM
signing took about twice as much time as DK signing because IIM does two
independent SHA1s.
Can't the canonicalisation and the SHA1 hash be calculated as the
message is arriving, rather than only afterwards? Seems a little strange
for the CPU to sit idle while waiting for data to arrive off the
network, and only actually process the message once it's complete.
Not that I actually think this is a worthwhile optimisation, since the
CPU time is still negligible, but it's an option for those who disagree
with that assessment.
--
dwmw2