I think most CAs use CDNs to help serve OCSP responses quite fast and reliably. A breakdown of failure rates based on certificate provider could provide insight on what's going on. Is gathering this information too close to violating a user's privacy for Mozilla? Any chance of peering into this data further?
Jeremy -----Original Message----- From: dev-security-policy [mailto:dev-security-policy-bounces+jeremy.rowley=digicert....@lists.mozilla.org] On Behalf Of Peter Bowen Sent: Tuesday, August 5, 2014 10:18 AM To: Gervase Markham Cc: mozilla-dev-security-pol...@lists.mozilla.org Subject: Re: New wiki page on certificate revocation plans On Tue, Aug 5, 2014 at 2:02 AM, Gervase Markham <g...@mozilla.org> wrote: > On 04/08/14 18:16, Erwann Abalea wrote: >> OCSP is painful and costly to optimize, x509labs shows great >> availability and good performance for most CA/location combination, >> but this is in contradiction with real user measurements. Why, and >> how? > > Good question. Perhaps the point is that consumer internet connections > are a lot flakier than the one x509labs uses. It is also possible that x509labs is requesting OCSP response for the same cert over and over which means it is getting edge-cached replies. Users request responses for random certs, which could include certs just issued or rarely seen. Thanks, Peter _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy