jorangreef said "RE StartSSL..." then pointed to an article about the problems of SSL w.r.t mobile apps. Since this is in reply to a very positive post about StartSSL, the obvious inference is that his linked article provides some evidence on why one wouldn't want to use StartSSL. But that's pure FUD because the only mention of StartSSL in the whole article is that they close their connections so two more TCP connections are required to authenticate the cert... but anyone worth their salt would be bundling in the CA cert anyway, obviating the need for those connections.
I don't know what your beef is with 'disingenuous,' but that's exactly what I meant.
OCSP isn't an optional step involved only if you don't present your CA's intermediary certificate, it's in addition to it. The whole point of it is "I have this guy with these legit looking credentials you issued, do you still stand by them?".
You can't work around that with chaining, it can only be disabled from client code, or by having the CA issue a cert that doesn't include an OCSP address (doubt any do this now, given the number of legit certs issued to attackers in the past 2 years).
Some of those numbers don't look correct at all. For example I can't find any host name that takes longer than ~500ms to do DNS resolution over 3G. (That's almost worst case scenario, where everything except the TLD is uncached.)
