To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/ef771e2c-cf04-4c31-996e-061ae563a942n%40mozilla.org.
I think it expired roots must manged as if it's still trusted by
things (as they are for old device) or confirmed deleted safely:
we surely wouldn't want to find out someone selling ICA signed by
such keys in darkweb
On May 26, 2023, at 2:01 AM, dr. Szőke Sándor <szoke....@microsec.hu> wrote:
You do not need to have the root or any subordinate CA key after the expiration of the CA certificate to be able to validate a signature.
The CA should issue a closing CRL before the end of its validity, and after expiry this closing CRL should be published beyond its validity.
The expired CA certificate can not be used to sign any content, so we do not need the private key. Due to security reasons it is the best to destroy the unusable private keys.
Sándor
From: 'Kurt Seifried' via dev-secur...@mozilla.org <dev-secur...@mozilla.org>
Sent: Friday, May 26, 2023 2:54 AM
To: Andy Warner <awa...@google.com>
Cc: dev-secur...@mozilla.org; Doug Beattie <doug.b...@globalsign.com>; nolo...@gmail.com <nolo...@gmail.com>; Seo Suchan <tjt...@gmail.com>
Subject: Re: Is there a rule about root keys that already expired?
There is also the classic email problem.
I signed email ages ago using X.509 certs chained off of roots that are (probably) now expired (it's been 20 years).
It would be nice to be able to check those email signatures/etc...
Just because a certificate is expired doesn't mean it isn't still useful/etc. Not everything is an HTTPS session.
On Thu, May 25, 2023 at 4:34 PM 'Andy Warner' via dev-secur...@mozilla.org <dev-secur...@mozilla.org> wrote:
To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/ef771e2c-cf04-4c31-996e-061ae563a942n%40mozilla.org.
--
You received this message because you are subscribed to the Google Groups "dev-secur...@mozilla.org" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dev-security-po...@mozilla.org.
To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CABqVa3_-fR2JoSaVACMG2r-ovsN7OdayeKziVw_ryQoXmDdhBQ%40mail.gmail.com.
To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CABqVa3_-fR2JoSaVACMG2r-ovsN7OdayeKziVw_ryQoXmDdhBQ%40mail.gmail.com.
To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/1E404211-D25B-43B0-AA81-161867A89E4A%40seifried.org.