There are certain tools which struggle in the face of expired certs in a trust bundle (initially reported here).
These tools might choose an expired root over an unexpired one in the case that two valid chains can be built. For users who rely on these tools, the ability to filter expired certs from their bundles would be valuable since it removes the possibility of the tool picking the wrong cert.
However, it doesn't seem clear that we should always do this or that we should do this by default. Having an expired certificate in a bundle does have some value in that it provides clients with more information about the source of a TLS error they receive.
In other words, if I have an expired root in my bundle, I'll get a "certificate expired" error if something chains back to it, rather than a "certificate untrusted" error if there's no matching root in my bundle.
Proposal
Add some flag (potentially a command-line argument such as --filter-expired-certificates if there's no reason for this to be done on a per-bundle basis) which signals to trust-manager that the completed bundles it creates should have expired certs pruned.
There are certain tools which struggle in the face of expired certs in a trust bundle (initially reported here).
These tools might choose an expired root over an unexpired one in the case that two valid chains can be built. For users who rely on these tools, the ability to filter expired certs from their bundles would be valuable since it removes the possibility of the tool picking the wrong cert.
However, it doesn't seem clear that we should always do this or that we should do this by default. Having an expired certificate in a bundle does have some value in that it provides clients with more information about the source of a TLS error they receive.
In other words, if I have an expired root in my bundle, I'll get a "certificate expired" error if something chains back to it, rather than a "certificate untrusted" error if there's no matching root in my bundle.
Proposal
Add some flag (potentially a command-line argument such as
--filter-expired-certificatesif there's no reason for this to be done on a per-bundle basis) which signals to trust-manager that the completed bundles it creates should have expired certs pruned.