On Sun, Apr 21, 2024 at 03:11:13PM -0700, 'Amir Omidi (aaomidi)' via
dev-secur...@mozilla.org wrote:
> I came across an interesting certificate today:
>
https://crt.sh/?id=2385087905
>
> According to Censys, this certificate is publicly trusted on of the major
> root programs.
>
> This certificate has a very long lifetime, and just seems to be *weird* in
> a lot of ways. Are these types of certificates okay to issue from a
> publicly trusted roots/intermediates?
It *may* fall under the "this isn't a server certificate" exception, and
given that it was seemingly issued in 2017 (although it may have been issued
in 2020 and backdated, based on the SCT), many of the current rules around what
constitutes "valid for server authentication" may not apply in any case.
Well, in that case, there's not much that Mozilla could do anyway.
- Matt