After downloading a CRL, it is fully decoded before prompting the user whether he wishes to install it. This full decode can be very wasteful of CPU and memory, especially with large CRLs, and is not necessary at all in case the user declines to install the CRL. NSS 3.6 will offer a way to do a partial decode . See bug 149816. PSM should take advantage of this functionality .

There is also the fact that the decoding copies the whole input. This can be avoided with a new decode function. See bugzilla 158005. This very simple fix can be implemented as two 1-line changes - one before import and one at actual import, as soon as NSS 3.6 is integrated in mozilla.

Julien, do you want to help with the patch? What 1-lines changes should we make?

For the decode, replace CERT_DecodeDERCrl with CERT_DecodeDERCrlWithFlags And pass CRL_DECODE_SKIP_ENTRIES in the additional "options" parameter. Also, for the import, replace : CERTSignedCrl * SEC_NewCrl(CERTCertDBHandle *handle, char *url, SECItem *derCrl, int type); with CERTSignedCrl* PK11_ImportCRL(PK11SlotInfo * slot, SECItem *derCRL, char *url, int type, void *wincx, PRInt32 importOptions, PRArenaPool* arena, PRInt32 de codeOptions); Pass CRL_IMPORT_BYPASS_CHECKS in the importOptions, and CRL_DECODE_SKIP_ENTRIES in the decodeOptions.

Mass reassign ssaux bugs to nobody

Mass change "Future" target milestone to "--" on bugs that now are assigned to nobody. Those targets reflected the prioritization of past PSM management. Many of these should be marked invalid or wontfix, I think.

The CRL Manager / Revocation Lists feature was removed.