On 11/10/13 21:50, Wan-Teh Chang wrote: > I would use a timeout of 5 seconds. 3 seconds seem a little short. > > I agree 10 seconds are too long.
Can you expand on what criteria you are using to make these judgements? Fetching the OCSP response takes 2RTT, as Camilo said. So if your RTT is 1000ms (very long!) and your OCSP server takes 999ms to respond (also well outside any sane performance requirement), 3s is still long enough to get a response. (The fact that 3s only covers 95% of successful checks on Desktop suggests that there are either some laggy networks or some sucky OCSP servers out there...) Gerv -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto