|
|
|
|
|
|
by kevincox
892 days ago
|
|
|
A common way that these work is that 1 browser does it, then if the others don't copy they appear "broken" to users. IDK what happened in this case but it is pretty easy to imagine Chrome accidentally allowed validation against certificates in its local cache. Maybe it added some sort of validation cache to avoid rechecking revocation lists and OSCP or similar and it would use intermediates from other sites. Then people tested their site in Chrome and it seemed to work. Now Firefox seems broken if they don't support this. So they decided to implement this and do something more robust by preloading a fixed list rather than whatever happens to be in the cache. Basically no browser wants to be the first to stop supporting this hack. |
|
|
https://bugzilla.mozilla.org/show_bug.cgi?id=399324#c16