When extending a segment we should select a signer that covers the whole validity of the segment. So far we only checked the end date, but with the introduction of enforcing that the AS certificate covers the whole AS entry (#4492) the verifier checks that the start date of the certificate also covers the whole segment lifetime. However for signing we so far only used the latest certificate, which might have a later start date than the timestamp of the segment.
This is a problem because between creation of a segment and the signing of a AS entry in a downstream AS there can be quite some time.
This commit now makes sure to select a signer/certificate that covers the start of the segments.
matzf
commented
5 months ago 
When extending a segment we should select a signer that covers the whole validity of the segment. So far we only checked the end date, but with the introduction of enforcing that the AS certificate covers the whole AS entry (#4492) the verifier checks that the start date of the certificate also covers the whole segment lifetime. However for signing we so far only used the latest certificate, which might have a later start date than the timestamp of the segment.
This is a problem because between creation of a segment and the signing of a AS entry in a downstream AS there can be quite some time.
This commit now makes sure to select a signer/certificate that covers the start of the segments.