One of the things that was quite annoying when developing CT was browser behaviour wrt intermediates - caching them and filling in missing ones means that failure to present correct cert chains is common behaviour. Which means that anything that _doesn't_ see a lot of certs has quite a low chance of actually verifying a random EE cert.
Indeed this is so common that on the few occasions I've attempted to report the bug I've been met with complete incomprehension. Presumably this is one of the reasons many people switch off cert validation. And then we wag our fingers and shake our heads at their "stupidity". In short: caching considered harmful. On Wed, 20 Nov 2019 at 00:11, Wayne Thayer via dev-security-policy < firstname.lastname@example.org> wrote: > If you are one of the many people who have wondered how exactly Firefox > handles some aspect of certificate processing, you may be interested to > know that we have recently updated the information on our wiki: > > https://wiki.mozilla.org/SecurityEngineering/Certificate_Verification > > I hope you find this helpful. > > - Wayne > _______________________________________________ > dev-security-policy mailing list > email@example.com > https://lists.mozilla.org/listinfo/dev-security-policy > -- I am hiring! Formal methods, UX, SWE ... verified s/w and h/w. #VerifyAllTheThings. https://g.co/u58vjr https://g.co/adjusu *(Google internal)* _______________________________________________ dev-security-policy mailing list firstname.lastname@example.org https://lists.mozilla.org/listinfo/dev-security-policy