I agree that some of this performance data is concerning but I'm not ready to give up on OCSP just yet because I don't see any choice in the matter: OCSP hard fail has to be done.
The fact that end entity certs can not be revoked is a major gap in Internet security right now. That gap should be acknowledged in the problem statement (on the wiki page) as either something that will be addressed now or something to be ignored until a later date. I hope we are going to address it now. In contrast, we do have a revocation mechanism for intermediate and root certs called a browser update. Obviously that's reserved for the most egregious cases but it is there and it does work. I imagine someone has a ready example of a non-egregious situation where intermediate revocation is necessary but the only one I can think of is periodic tweaks to cert data...??? The other issue I have with the problem statement is that it lists optimization goals that are separate from actually improving security. I think it's naive to suggest we can move forward without having an effect on latency or memory or privacy or all of the above. Obviously you want to choose a solution that minimizes those measurements, but that's all they represent: ways to evaluate solutions and not problems to be solved in and of themselves. So, let's clarify if end entity certs are in scope for this effort and we'll move forward from there. Thanks. Original Message From: Erwann Abalea Sent: Monday, August 4, 2014 12:17 PM Le lundi 4 août 2014 18:34:50 UTC+2, Patrick McManus a écrit : > Firefox 31 data: > > on desktop the median successful OCSP validation took 261ms, and the 95th > percentile (looking at just the universe of successful ones) was over > 1300ms. 9% of all OCSP requests on desktop timed out completely and aren't > counted in those numbers. > > on mobile the median successful validation was 372ms with the 95th > percentile over 1500ms. 20% of all requests on mobile timed out completely > and aren't counted in those numbers. > > OCSP is brutally painful. This is depressing. I imagine you have access to more detailed information (OCSP URL, date/time, user location, ...), could some of it be open? OCSP is painful and costly to optimize, x509labs shows great availability and good performance for most CA/location combination, but this is in contradiction with real user measurements. Why, and how? _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy