The below is true except in the case of Code Signing CAs where there are requirements to maintain revocation services after the CA has expired, and to also be able to add expired certificates to the CRL, but that's an entirely different ecosystem than the one we're discussing here....
Doug -----Original Message----- From: [email protected] <[email protected]> On Behalf Of Jeffrey Walton Sent: Thursday, May 25, 2023 1:55 AM To: Seo Suchan <[email protected]> Cc: [email protected] Subject: Re: Is there a rule about root keys that already expired? On Thu, May 25, 2023 at 12:51 AM Seo Suchan <[email protected]> wrote: > > Most of root store policies are not apply to them as they are no > longer publicly trusted as they are removed from trust store, but > there are enough unupdated clients that still trust such certificates > (mostly androids/ iot, I think) > > should trust store start to require destroying root private key just > before its expireation? however then catastrophic event happens that > caused reject the CA does not have incentive to do any more about it > though A CA's liability ends when the certificate expires. Throw the certificate away at expiration. There's no need to check for revocation either. Potential revocation ends at expiration. A key that is compromised after expiration will not lead to a CRL entry. Jeff -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CAH8yC8mPiOdfQ%2Bxtdsi669uCra6jAyv3QXfEmX-%3DQDfyqyZNww%40mail.gmail.com. -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/SEZPR03MB6593216BCD6D645B660FDE26F0469%40SEZPR03MB6593.apcprd03.prod.outlook.com.
smime.p7s
Description: S/MIME cryptographic signature
