Julien Vehent
unread,Apr 11, 2014, 5:00:14 PM4/11/14You do not have permission to delete messages in this group
Sign in to report message
Either email addresses are anonymous for this group or you need the view member email addresses permission to view the original message
to Patrick McManus, Daniel Veditz, byron jones, oz...@mozilla.com, jstev...@mozilla.com, mozilla.dev.planning group, David Keeler, Jake Maul, Doug Turner, mc...@mozilla.com, Camilo Viecco, Mike Hommey, Richard Barnes, Sid Stamm, sar...@mozilla.com
On Fri 11.Apr'14 at 10:55:32 -0700, Daniel Veditz wrote:
> Why would client plans delay a server roll out?
On Fri 11.Apr'14 at 10:59:50 -0400, Patrick McManus wrote:
> from a server perspective nothing will be gained by waiting - the
> performance carrot is in place right now so I wouldn't wait to
> synchronize.
A bit more context & historical information may answer some of your
questions.
OCSP Stapling has been on our radar since last summer (bug 896078).
Early on, we involved Riverbed in the discussion, and came up with a
roadmap. They delivered support in version 9.5 of Riverbed Stingray (the
official product name for ZLB), released 3 months ago. We did some
initial testing in Labs, and shared results with them. They came back to
us 3 weeks ago with a new release that improves OCSP responses checking.
Now we need to iterate on testing, and schedule deployment in
production.
That is to say: we have been busy. OCSP Stapling is part of a larger
ongoing plan to improve SSL/TLS support on the server side [1], across
several hundreds of services, and many different infrastructures. As you
can imagine, the load balancers at the head of our two major
data-centers are highly critical pieces of equipment, and upgrading
requires preparation, testing, QA, downtime for release and so on. The
risk of impacting the uptime of these services is a strong factor in any
deployment decision. This is the reason behind the conservative, but
steady, progress.
When I mentioned synchronizing OCSP Stapling changes, what I really
meant is creating momentum to focus more people on it, and accelerating
adoption. Riverbed appreciates being part of our plans for Firefox. They
have been hard at work on their SSL stack to support our effort and
better serve their other customers. On the infrastructure side, we need
roadmap visibility as well, so we can prioritize appropriately (there
are many other projects in the queue), and have OCSP Stapling enabled
when Firefox makes it a requirement.
- Julien
[1]
https://blog.mozilla.org/security/2013/11/12/navigating-tls/