On Monday, 15 July 2019 04:41:12 UTC+10, Ryan Sleevi wrote: > Thanks for mentioning this here. > > Could you explain why you see it as an issue? RFC 5280 defines a trust > anchor as a subject and a public key. Everything else is optional, and the > delivery of a trust anchor as a certificate does not necessarily imply the > constraints of that certificate, including expiration, should apply. >
Hi Ryan, Thanks for your message. First of all, I never said that was an issue. I was just reporting some expired Root CA, as I was thinking that may impact peoples. Secondly, I was not aware of the RFC 5280 defining a trust anchor as a subject and a public key. However, if you referrer to the same RFC, they defined a Public Key in the "4.1.2.5. Validity" Section: "When the issuer will not be able to maintain status information until the notAfter date (including when the notAfter date is 99991231235959Z), the issuer MUST ensure that no valid certification path exists for the certificate after maintenance of status information is terminated. This may be accomplished by expiration or revocation of all CA certificates containing the public key used to verify the signature on the certificate and discontinuing use of the public key used to verify the signature on the certificate as a trust anchor." In the case of the "certdata.txt", this file is including Public CA certificates. So an expired certificate means that the key cannot be used anymore. I'm still not expressing this message as an issue, but an suggestion to update/remove those expired Public Keys from your certdata.txt. Cheers, _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
