https://support.apple.com/en-us/HT204132
The source code for how Apple has implemented such blocks is available at https://opensource.apple.com/ Specifically https://opensource.apple.com/source/Security/Security-57337.60.2/OSX/libsecurity_apple_x509_tp/lib/tpCertAllowList.c.auto.html as called by https://opensource.apple.com/source/Security/Security-57337.60.2/OSX/libsecurity_apple_x509_tp/lib/tpCertGroup.cpp.auto.html You can see that the logic to check the allow list is implemented after Keychain checks - meaning yes, users can't disable the whitelist. You should talk to Apple if that bothers you :) On Tue, Nov 8, 2016 at 2:42 PM, Percy <percyal...@gmail.com> wrote: > Yeah, I suspected so but I didn't find it in the security content > (https://support.apple.com/en-ca/HT207275). > > I remember when Gerv discussed the idea on whitelisting intermediate cert, he > mentioned that firefox didn't want to undermine user sovereignty by > overriding the user's trust choice. I guess Apple might not have considered > this. > _______________________________________________ > dev-security-policy mailing list > dev-security-policy@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-security-policy _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy