In this context, I was wondering: Has there been a discussion yet on Firefox enforcing cert lifetime in code not just via policy?
Most everything seems to be in place already due to EV, but DV doesn't have a limit atm.  Now in practice, thanks to killing sha1, most of those legacy certs are probably distrusted anyway. But then again, backdating is technically possible, until full CT can provide protection in ~4 years iiuc, and it's a pretty stealthy way for CAs to subvert current guidelines (unless you do it WoSign-style I guess...) Limiting to 60 months could be done right now as a sanity check and shouldn't cause any problems, right?  https://github.com/mozilla/gecko-dev/blob/455ab646d315d265b4c0c3f712a69aae40985fcf/security/certverifier/NSSCertDBTrustDomain.cpp#L1112 _______________________________________________ dev-security-policy mailing list email@example.com https://lists.mozilla.org/listinfo/dev-security-policy