CCADB's ICA list accuracy

[csosto-pk]

If a 3rd party repo was hosting the ICA list for WebPKI, then we could limit outages because

• all clients would have the same version (assuming within time interval).
• servers could check if their ICAs are in the list (assuming within time interval) and if not they could just send them regardless of the flag (also discussed in https://github.com/csosto-pk/tls-suppress-intermediates/issues/7)

We should think about this more.

[csosto-pk]

Reach out to CCADB https://groups.google.com/a/mozilla.org/g/dev-security-policy

[csosto-pk]

CCADB already hosts them here https://ccadb-public.secure.force.com/mozilla/MozillaIntermediateCertsCSVReport and we confirmed these are the same FiloSottile pulls from. So, there is a third-party that hosts them already.

Now we need to study how good this list is; meaning if the ICAs start getting used before they show up in the list.