Thanks Patrick – that’s great information. This high of failure rate is why the CASC and DigiCert are encouraging OCSP stapling as the best way to move forward.
Jeremy From: [email protected] [mailto:[email protected]] On Behalf Of Patrick McManus Sent: Monday, August 4, 2014 10:35 AM To: Jeremy Rowley Cc: Matthias Hunstock; [email protected] Subject: Re: New wiki page on certificate revocation plans Firefox 31 data: on desktop the median successful OCSP validation took 261ms, and the 95th percentile (looking at just the universe of successful ones) was over 1300ms. 9% of all OCSP requests on desktop timed out completely and aren't counted in those numbers. on mobile the median successful validation was 372ms with the 95th percentile over 1500ms. 20% of all requests on mobile timed out completely and aren't counted in those numbers. OCSP is brutally painful. On Mon, Aug 4, 2014 at 11:19 AM, Jeremy Rowley <[email protected]<mailto:[email protected]>> wrote: Seems like a lot of anecdotes are being shared with respect to hard fail without a lot of data. Do the browsers have more data on this? Considering the X.509 labs shows nearly 100% availability with response times of about 100 ms, data showing in-depth info on failure rates (and the reasons why) would help drive the discussion in a productive direction. Jeremy -----Original Message----- From: dev-security-policy [mailto:dev-security-policy-bounces+jeremy.rowley<mailto:dev-security-policy-bounces%2Bjeremy.rowley>[email protected]<mailto:[email protected]>] On Behalf Of Matthias Hunstock Sent: Monday, August 4, 2014 2:35 AM To: [email protected]<mailto:[email protected]> Subject: Re: New wiki page on certificate revocation plans Am 01.08.2014 12:11, schrieb [email protected]<mailto:[email protected]>: > Where is the evidence that OSCP hard fails and these speed issues are > actually a problem in the real world? Try it on a site with an unknown issuer. The handshake takes at least 30 seconds longer, because thats the time you need to turn off hard fail in the browser UI. _______________________________________________ dev-security-policy mailing list [email protected]<mailto:[email protected]> https://lists.mozilla.org/listinfo/dev-security-policy _______________________________________________ dev-security-policy mailing list [email protected]<mailto:[email protected]> https://lists.mozilla.org/listinfo/dev-security-policy _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
