Thanks for mentioning this here. Could you explain why you see it as an issue? RFC 5280 defines a trust anchor as a subject and a public key. Everything else is optional, and the delivery of a trust anchor as a certificate does not necessarily imply the constraints of that certificate, including expiration, should apply.
On Sun, Jul 14, 2019 at 1:52 PM Vincent Lours via dev-security-policy < [email protected]> wrote: > Hi there, > > Following my "question" in the Mozilla Support Forum ( > https://support.mozilla.org/en-US/questions/1264544), I would like to > notice you that there are 2 certificates expired in your Root CA file > certdata.txt. > > The following certificates expired days ago: > | Expiration date | Certificate CN | > | 2019-07-06 | Class 2 Primary CA | > | 2019-07-09 | Deutsche Telekom Root CA 2 | > > New certificates should be retrieved for these 2 CA, or they should be > deleted from the certdata.txt as they are no longer valid. > > certdata.txt References: > nss: ' > https://hg.mozilla.org/projects/nss/raw-file/default/lib/ckfw/builtins/certdata.txt > ', > central: > https://hg.mozilla.org/mozilla-central/raw-file/default/security/nss/lib/ckfw/builtins/certdata.txt > ', > beta: > https://hg.mozilla.org/releases/mozilla-beta/raw-file/default/security/nss/lib/ckfw/builtins/certdata.txt > ', > release: ' > https://hg.mozilla.org/releases/mozilla-release/raw-file/default/security/nss/lib/ckfw/builtins/certdata.txt > ', > > Thanks for your help. > _______________________________________________ > dev-security-policy mailing list > [email protected] > https://lists.mozilla.org/listinfo/dev-security-policy > _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
