[Webkit-unassigned] [Bug 171609] [Cocoa] Stop performing caching of intermediate TLS certificates

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Wed May 3 16:55:41 PDT 2017


--- Comment #5 from Michael Catanzaro <mcatanzaro at igalia.com> ---
OK, I totally forgot when I filed this earlier today, but there is another possibility for how Safari might be verifying this incomplete chain. It could be using the authority information access extension of the server certificate [1] to download the intermediate. If so, then the result is predictable, this bug report is invalid, and we should change nothing on Mac. Instead, other WebKit ports should implement the same functionality in their networking backends for compatibility. (Igalia would handle the libsoup backend.)

But if it's caching intermediates, then everything I said earlier is valid and Safari should stop doing that. It would be good to get confirmation from the relevant Apple developers as to what is happening here: is it caching intermediate certificates, or is it using authority information access?

[1] https://tools.ietf.org/html/rfc5280#section-

You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20170503/de59133a/attachment-0001.html>

More information about the webkit-unassigned mailing list