Nicholas, Mozilla's root program mandates all members disclose all intermediates via the Common CA Database <https://ccadb.org/>. That database has enough metadata to determine which CA certificates chain to roots in our program. The CCADB exports a list on-demand <https://ccadb.org/resources> of all intermediates that are disclosed and in our program (Note, the Mozilla-speciifc one isn't linked there, contact me off-list if you want access). As part of our CRLite server-side code, we're packaging up that list of intermediates regularly and update Kinto. Obviously they don't change quickly. :)
By policy, Firefox users should not encounter any undisclosed intermediate CAs that are trusted via a root in our root program. In principal, we could eventually use this functionality to affirm that. Cheers! J.C. On Thu, Mar 14, 2019 at 8:26 AM Nicholas Alexander <nalexan...@mozilla.com> wrote: > > > On Wed, Mar 13, 2019 at 2:23 PM J.C. Jones <j...@mozilla.com> wrote: > >> Tom, >> >> Kinto provides the whole list of metadata to clients as soon as it syncs >> [1]. The metadata uses the Kinto attachment >> <https://github.com/Kinto/kinto-attachment> mechanism to store the >> DER-encoded certificate for separate download. >> >> Firefox maintains a "local field" boolean in the dataset to of whether a >> given metadata entry's certificate attachment has been downloaded or not, >> toggling as each one is pulled. Currently we don't deduplicate with the >> local NSS Cert DB, the inserts that are already there will fail and emit >> telemetry -- the amount of data saved didn't seem worth it for the >> experimental phase. >> > > J.C. -- I don't think this answers Tom's question, but perhaps it does. > In that case I'll ask what I think is the same question: > > How is the set of certificates that _might_ be pushed to clients > determined? In some way we must determine a set of relevant intermediate > certificates: how do we determine that set? Is it that the set of > intermediates for every CA that we trust is known? > > Nick > _______________________________________________ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform
