Users may have cached intermediate certificates in their cert9.db that have also been downloaded via intermediate preloading. Some operations in NSS are linear (or worse) with the number of certificates in cert9.db, so we should consider removing those superfluous entries (as long as the user hasn't modified their trust bits). This could be done as a background task that periodically scans cert9.db and removes certificates as appropriate.

In general, PSM caches intermediates from verified certificate chains in the
NSS certdb. Before bug 1619021, this would include preloaded intermediates,
which is unnecessary because cert_storage has a copy of those certificates, and
so they don't need to take up time and space in the NSS certdb. This patch
introduces the intermediate preloading healer, which periodically runs on a
background thread, looks for these duplicate intermediates, and removes them
from the NSS certdb.

Backed out for xpcshell failures on test_intermediate_preloads.js

Backout link: https://hg.mozilla.org/integration/autoland/rev/ce51bacc88393c714df6b27f4831a37a65db930d
Log link: https://treeherder.mozilla.org/logviewer.html#/jobs?job_id=305151853&repo=autoland&lineNumber=2733

Thanks. Working on the underlying issue in bug 1644224.

https://hg.mozilla.org/mozilla-central/rev/49da6b99bde3

Is this something we should consider uplifting to Beta so it's in the next ESR or can this fix ride 79 to release?

Since the next ESR won't have had intermediate preloading without also having bug 1619021, it's not as important. I think it would be best to be cautious and let this ride the trains.