Thanks for filing, Matt!

I don't think this will need to block canary. The functionality is that this watches for Keychain events for users entering or removing smart cards (which may include root certs, but will primarily include client certs)

If you look through the OnCertDBChanged listeners, we can see that the following behaviours happen:
- All QUIC connections are closed (//net/quic/chromium/quic_stream_factory.cc)
- The SSL session cache is flushed (//net/socket/client_socket_factory.cc)
- The socket pools are flushed as a network change event (//net/socket/client_socket_pool_manager_impl.cc)
- All SPDY sessions are closed (//net/spdy/spdy_session_pool.cc)
- The SSL client auth cache is cleared (//net/ssl/ssl_client_auth_cache.cc)
- The Cert Verification cache is cleared (//net/cert/caching_cert_verifier.cc)

I'm ignoring the ChromeOS-specific bits (such as the UI refresh or the ARC++ integration), since this was filed as macOS only.

For better sandboxing of the network service, this would be best be kept outside - the same way that client certs are also handled in the browser process. We'd just need a way to signal down to affect these behaviours.

This is understandably a *giant* hammer to wield - effectively resetting the network state, for all profiles - so I can understand if there is reticence to adding such an API. For various platform-dependent reasons, we don't have a good way to close 'just' those connections affected, nor reset the state of 'just' those hosts.

Thanks, Ryan!  Removing the Canary label.

And just to document for posterity what the impact will be for Canary:

Users who use smart cards will, on macOS, need to restart Chrome if trying to change the authentication state of connections (i.e. authenticated anonymously, then insert card, and want to authenticate with credentials). This behaviour actually aligns with the Windows/Linux implementations at present, hence why I don't view it as a Canary-blocker. We'd like to align the Windows/Linux implementations with macOS, as part of polishing client cert handling, but that's polish.

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/3e356d0f62841f5d5307de4f8fb0269ce54e69e2

commit 3e356d0f62841f5d5307de4f8fb0269ce54e69e2
Author: Matt Mueller <mattm@chromium.org>
Date: Wed Nov 07 21:06:14 2018

Add browser_test for CertDatabase changes flushing client auth cache.

Bug: 853228
Change-Id: Iaef40bc62c7b5f6c93f71e8249402c0218605471
Reviewed-on: https://chromium-review.googlesource.com/c/1321584
Commit-Queue: Matt Mueller <mattm@chromium.org>
Reviewed-by: Ryan Sleevi <rsleevi@chromium.org>
Cr-Commit-Position: refs/heads/master@{#606156}
[modify] https://crrev.com/3e356d0f62841f5d5307de4f8fb0269ce54e69e2/chrome/browser/ssl/ssl_browsertest.cc