One of the things that was quite annoying when developing CT was browser
behaviour wrt intermediates - caching them and filling in missing ones
means that failure to present correct cert chains is common behaviour.
Which means that anything that _doesn't_ see a lot of certs has quite a low
chance of actually verifying a random EE cert.

Indeed this is so common that on the few occasions I've attempted to report
the bug I've been met with complete incomprehension.

Presumably this is one of the reasons many people switch off cert
validation. And then we wag our fingers and shake our heads at their

In short: caching considered harmful.

On Wed, 20 Nov 2019 at 00:11, Wayne Thayer via dev-security-policy <> wrote:

> If you are one of the many people who have wondered how exactly Firefox
> handles some aspect of certificate processing, you may be interested to
> know that we have recently updated the information on our wiki:
> I hope you find this helpful.
> - Wayne
> _______________________________________________
> dev-security-policy mailing list

I am hiring! Formal methods, UX, SWE ... verified s/w and h/w.
*(Google internal)*
dev-security-policy mailing list

Reply via email to