CCADB's ICA list accuracy #14

csosto-pk · 2022-03-17T03:36:01Z

If a 3rd party repo was hosting the ICA list for WebPKI, then we could limit outages because

all clients would have the same version (assuming within time interval).
servers could check if their ICAs are in the list (assuming within time interval) and if not they could just send them regardless of the flag (also discussed in Sending ICAs regardless (from Ryan S.) #7)

We should think about this more.

csosto-pk · 2022-04-01T16:21:08Z

csosto-pk · 2022-07-05T14:22:06Z

CCADB already hosts them here https://ccadb-public.secure.force.com/mozilla/MozillaIntermediateCertsCSVReport and we confirmed these are the same FiloSottile pulls from. So, there is a third-party that hosts them already.

Now we need to study how good this list is; meaning if the ICAs start getting used before they show up in the list.

csosto-pk added enhancement New feature or request question Further information is requested labels Mar 17, 2022

csosto-pk self-assigned this Mar 23, 2022

csosto-pk added the TODO label Mar 23, 2022

csosto-pk mentioned this issue Mar 23, 2022

Intermediate CA change or chain validation failure #2

Open

csosto-pk changed the title ~~CCADB to host WebPKI ICA list~~ CCADB's ICA list accuracy Jul 5, 2022

Provide feedback