On 01/04/2012 05:56 PM, Brian Smith wrote: > Robert Relyea wrote: >> On 01/04/2012 04:18 PM, Brian Smith wrote: >> Are you actually fetching intermediates? >> >> In the cases where you fetch the intermediates, the old code will not >> work! We don't fetch the intermediate if we already have it, or it's >> already sent in the SSL chain. >> >> If you are seeing some performance issue, perhaps it some other >> issue? (are you turning on CRL fetching?).
I think we are misunderstanding each other. I'm not talking about revocation on intermediates. I'm talking about fetching intermediates themselves because they weren't included in the chain. I thought that is what you were talking about. That was certainly what I was talking about. > We can just tell libpkix not to do OCSP fetching for intermediates. So, this > particular performance issue isn't a blocker for switching to libpkix, as > long as we make such a change before making libpkix the default. > > My point is that, in order to actually enable libpkix's ability to fetch > intermediate certificates in Firefox, we will have to do a substantial amount > of work to eliminate the performance regression that is inherent with the > serial fashion that libpkix does OCSP fetching. In some ways, this might be a > question of "fast" vs "right" but I am not sure that the "right" here is > enough of benefit to justify the performance cost. Still, I would like to do > the intermediate OCSP fetching if it can be made close to free, which means > doing it in parallel with the EE OCSP fetch, AFAICT. If the OCSP responder is the same for the EE and intermediate certs, you can issue a single OCSP request (at least in theory). It would require some NSS code. > > (Persistent) caching of OCSP responses will help. But, caching won't help for > the "I just installed Firefox and now I am going to see how fast it is by > going to twitter.com" test. And, also, we haven't even started working on the > persistent caching of OCSP responses in Firefox yet. What is the actual cost, BTW. persistent caching of OCSP responses are not likely to buy a whole lot. You still have to fetch the OCSP responses for the validity period of the response (usually something like 24 hours). bob > > - Brian
-- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
