Maria José Prieto <[email protected]> writes: >Newly minted Root CAs must be valid for a minimum of 8 years, and a maximum >of 25 years, from the date of submission.
It would be helpful if browsers enforced the upper limits in the same way they strictly enforce lower limits. I don't know how many root CA certs I've seen with validity periods of between one and two hundred years (that's not a typo). In particular, one-century validity periods seem to be popular for we- don't-want-to-have-to-replace-them CA certs. So once they're entered into the CA store those all-powerful certs will still be valid long after the CAs have gone out of business, the private keys have been sold or stolen or lost, and the crypto they use has been broken. Peter. -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/SY4PR01MB62516C8753323EBDA2A321B1EEB69%40SY4PR01MB6251.ausprd01.prod.outlook.com.
