I can't find written rule about validity period of CA certificate in CA/B BR or Mozilla policy, so a CA could register a root certificate with notafter date of year 9999(where rfc5280 assigned for no well-defined expiration date) and practically never care about a root certificate being expired. but will this kind of thing actually allowed? actually this doesn't sound that bad, as root store is hand-picked and if there was a reason to remove a root certificate(no longer trusted/key is now considered weak) it would removed from store by store update, make automatic expiration not needed and can break things
For intermediate CA's validity period is different can of worm, and I personally think having to manage documentation and crt/ocsp literally forever is enough deterrent to no real CA will attempt. -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/be17387c-f250-4faa-b46b-57f5bdaf1bben%40mozilla.org.
