On Wed, Mar 13, 2019 at 2:23 PM J.C. Jones <j...@mozilla.com> wrote: > Tom, > > Kinto provides the whole list of metadata to clients as soon as it syncs > [1]. The metadata uses the Kinto attachment > <https://github.com/Kinto/kinto-attachment> mechanism to store the > DER-encoded certificate for separate download. > > Firefox maintains a "local field" boolean in the dataset to of whether a > given metadata entry's certificate attachment has been downloaded or not, > toggling as each one is pulled. Currently we don't deduplicate with the > local NSS Cert DB, the inserts that are already there will fail and emit > telemetry -- the amount of data saved didn't seem worth it for the > experimental phase. >
J.C. -- I don't think this answers Tom's question, but perhaps it does. In that case I'll ask what I think is the same question: How is the set of certificates that _might_ be pushed to clients determined? In some way we must determine a set of relevant intermediate certificates: how do we determine that set? Is it that the set of intermediates for every CA that we trust is known? Nick _______________________________________________ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform