Really browsers should just discard anything that isn't a root CA and expires more than two years from now as a matter of principle. Consider the consequences of issuing a certificate that far out on domain ownership transfers: Facebook bought facebook.com in 2005. The previous owner could still have a signed certificate for it.
Really browsers should just discard anything that isn't a root CA and expires more than two years from now as a matter of principle. Consider the consequences of issuing a certificate that far out on domain ownership transfers: Facebook bought facebook.com in 2005. The previous owner could still have a signed certificate for it.