Is this aimed at recovering from a condition where a client cert's expired, to allow renewal, or is this more about changing the internal model such that client cert expiry can be enforced on a per-identity basis, or both?
SDKs can extend their certs, but don't. As the capability becomes implemented clients will begin to do so. This allows someone to enforce cert expiration w/o losing existing clients.
Is this aimed at recovering from a condition where a client cert's expired, to allow renewal, or is this more about changing the internal model such that client cert expiry can be enforced on a per-identity basis, or both?