On Sun, 7 Nov 2021, Bill Cole wrote:
So I wonder how widespread this problem is?
The problem in this case is not the existence of the cert in the CA
bundle, but the fact that this particular expired cert was used in an
alternative validation path and the logic of verification for multi-path
certs isn't correct. Normally, expired root CAs should stay in there
because that allows positive non-verification of certs supposedly issued
by an expired (and maybe compromised) root CA.
Gotcha; thanks.
And I'm not happy with those that are set way in the future; I heard
somewhere that 5 years is the recommended max.
CAs are special. The current limit on server certs is 397 days. I don't
think there's a consensus on CA lifetimes because of the conflicting
risks of too-short and too-long lives.
One day past a leap year :-) I don't remember where I saw the 5-year
recommendation, unfortunately.
-- Dave
