Am 01.08.2014 12:11, schrieb simon.zer...@gmail.com:
Where is the evidence that OSCP hard fails and these
speed issues are actually a problem in the real world?
Try it on a site with an unknown issuer.
The handshake takes at least 30 seconds longer, because thats the time
you need to turn off
- Original Message -
From: David Huang linshunghu...@gmail.com
To: mozilla-dev-security-pol...@lists.mozilla.org
Sent: Saturday, August 2, 2014 1:21:58 AM
Subject: Re: New wiki page on certificate revocation plans
This is great news!
Regarding the max lifetime threshold of
I am generally in favour of this plan - I think it's the right way to
go. I am not sure we will ever get to hard-fail for plain OCSP, but I am
very happy for that to be a data-driven decision somewhere down the line.
On 01/08/14 03:07, Richard Barnes wrote:
There's one major open issue
On 02/08/14 15:20, Jesper Kristensen wrote:
* Have you considered adding support for multiple ocsp staples to allow
stapeling of CA certs?
There is a proposed standard for multi-stapling but as far as I remember
it's not even finished yet, yet alone implemented and deployed. We
decided that we
On 04/08/14 14:16, Gervase Markham wrote:
On 02/08/14 15:20, Jesper Kristensen wrote:
* Have you considered adding support for multiple ocsp staples to allow
stapeling of CA certs?
There is a proposed standard for multi-stapling but as far as I remember
it's not even finished yet, yet alone
- Original Message -
From: Hubert Kario hka...@redhat.com
- Original Message -
From: Kathleen Wilson kwil...@mozilla.com
== For this batch of root changes ==
We are still investigating if we should use this possible solution for
this batch of root changes. Please
Firefox 31 data:
on desktop the median successful OCSP validation took 261ms, and the 95th
percentile (looking at just the universe of successful ones) was over
1300ms. 9% of all OCSP requests on desktop timed out completely and aren't
counted in those numbers.
on mobile the median successful
Thanks Patrick – that’s great information. This high of failure rate is why
the CASC and DigiCert are encouraging OCSP stapling as the best way to move
forward.
Jeremy
From: patrick.ducks...@gmail.com [mailto:patrick.ducks...@gmail.com] On Behalf
Of Patrick McManus
Sent: Monday, August 4,
Le lundi 4 août 2014 18:34:50 UTC+2, Patrick McManus a écrit :
Firefox 31 data:
on desktop the median successful OCSP validation took 261ms, and the 95th
percentile (looking at just the universe of successful ones) was over
1300ms. 9% of all OCSP requests on desktop timed out completely and
Den 04-08-2014 kl. 15:16 skrev Gervase Markham:
On 02/08/14 15:20, Jesper Kristensen wrote:
* Have you considered adding support for multiple ocsp staples to allow
stapeling of CA certs?
There is a proposed standard for multi-stapling but as far as I remember
it's not even finished yet, yet
Hubert, what's your conclusion of your analysis?
Thanks
Kai
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy
On Mon, Aug 04, 2014 at 10:03:13AM -0400, Hubert Kario wrote:
So I've analysed the data.
Change (without-with) Count
-+-
complete -219
incomplete+120
untrusted +99
So this is in the order of 0.05%
On 7/31/14, 1:17 PM, Kathleen Wilson wrote:
Here's what we are doing for this first batch of root changes that was
made in NSS 3.16.3, and is currently in Firefox 32, which is in Beta.
NSS 3.16.4 will be created and included in Firefox 32. It will only
contain these two changes:
1)
On Mon, Aug 4, 2014 at 3:52 PM, Kathleen Wilson kwil...@mozilla.com wrote:
It turns out that including the 2048-bit version of the cross-signed
intermediate certificate does not help NSS at all. It would only help
Firefox, and would cause confusion.
That isn't true, AFAICT.
It works for
14 matches
Mail list logo
