Robert Relyea wrote: > On 01/04/2012 04:18 PM, Brian Smith wrote: > Are you actually fetching intermediates? > > In the cases where you fetch the intermediates, the old code will not > work! We don't fetch the intermediate if we already have it, or it's > already sent in the SSL chain. > > If you are seeing some performance issue, perhaps it some other > issue? (are you turning on CRL fetching?).
We can just tell libpkix not to do OCSP fetching for intermediates. So, this particular performance issue isn't a blocker for switching to libpkix, as long as we make such a change before making libpkix the default. My point is that, in order to actually enable libpkix's ability to fetch intermediate certificates in Firefox, we will have to do a substantial amount of work to eliminate the performance regression that is inherent with the serial fashion that libpkix does OCSP fetching. In some ways, this might be a question of "fast" vs "right" but I am not sure that the "right" here is enough of benefit to justify the performance cost. Still, I would like to do the intermediate OCSP fetching if it can be made close to free, which means doing it in parallel with the EE OCSP fetch, AFAICT. (Persistent) caching of OCSP responses will help. But, caching won't help for the "I just installed Firefox and now I am going to see how fast it is by going to twitter.com" test. And, also, we haven't even started working on the persistent caching of OCSP responses in Firefox yet. - Brian -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
