Thanks Patrick – that’s great information. This high of failure rate is why the CASC and DigiCert are encouraging OCSP stapling as the best way to move forward.
Jeremy From: patrick.ducks...@gmail.com [mailto:patrick.ducks...@gmail.com] On Behalf Of Patrick McManus Sent: Monday, August 4, 2014 10:35 AM To: Jeremy Rowley Cc: Matthias Hunstock; mozilla-dev-security-pol...@lists.mozilla.org Subject: Re: New wiki page on certificate revocation plans Firefox 31 data: on desktop the median successful OCSP validation took 261ms, and the 95th percentile (looking at just the universe of successful ones) was over 1300ms. 9% of all OCSP requests on desktop timed out completely and aren't counted in those numbers. on mobile the median successful validation was 372ms with the 95th percentile over 1500ms. 20% of all requests on mobile timed out completely and aren't counted in those numbers. OCSP is brutally painful. On Mon, Aug 4, 2014 at 11:19 AM, Jeremy Rowley <jeremy.row...@digicert.com<mailto:jeremy.row...@digicert.com>> wrote: Seems like a lot of anecdotes are being shared with respect to hard fail without a lot of data. Do the browsers have more data on this? Considering the X.509 labs shows nearly 100% availability with response times of about 100 ms, data showing in-depth info on failure rates (and the reasons why) would help drive the discussion in a productive direction. Jeremy -----Original Message----- From: dev-security-policy [mailto:dev-security-policy-bounces+jeremy.rowley<mailto:dev-security-policy-bounces%2Bjeremy.rowley>=digicert....@lists.mozilla.org<mailto:digicert....@lists.mozilla.org>] On Behalf Of Matthias Hunstock Sent: Monday, August 4, 2014 2:35 AM To: mozilla-dev-security-pol...@lists.mozilla.org<mailto:mozilla-dev-security-pol...@lists.mozilla.org> Subject: Re: New wiki page on certificate revocation plans Am 01.08.2014 12:11, schrieb simon.zer...@gmail.com<mailto:simon.zer...@gmail.com>: > Where is the evidence that OSCP hard fails and these speed issues are > actually a problem in the real world? Try it on a site with an unknown issuer. The handshake takes at least 30 seconds longer, because thats the time you need to turn off hard fail in the browser UI. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org<mailto:dev-security-policy@lists.mozilla.org> https://lists.mozilla.org/listinfo/dev-security-policy _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org<mailto:dev-security-policy@lists.mozilla.org> https://lists.mozilla.org/listinfo/dev-security-policy _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy