On Thu, May 25, 2023 at 12:51 AM Seo Suchan <[email protected]> wrote: > > Most of root store policies are not apply to them as they are no longer > publicly trusted as they are removed from trust store, but there are > enough unupdated clients that still trust such certificates (mostly > androids/ iot, I think) > > should trust store start to require destroying root private key just > before its expireation? however then catastrophic event happens that > caused reject the CA does not have incentive to do any more about it though
A CA's liability ends when the certificate expires. Throw the certificate away at expiration. There's no need to check for revocation either. Potential revocation ends at expiration. A key that is compromised after expiration will not lead to a CRL entry. Jeff -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CAH8yC8mPiOdfQ%2Bxtdsi669uCra6jAyv3QXfEmX-%3DQDfyqyZNww%40mail.gmail.com.
