while most of them are old intermediate that was before SC31 (2020-june) but it doesn't have for-created-after sunseting,
Looking through this and it looks like several are revoked. Is there a way to filter out revoked?
Examples:
Actalis Extended Validation Server CA G2
ABB Intermediate CA 3
NETLOCK Trust EV CA 2
To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/MW4PR17MB4729E654019ABA4938172550AA069%40MW4PR17MB4729.namprd17.prod.outlook.com.
Both revocation and the CAB forum ballot changing the EKU requirement have effective dates. The effective date of the EKU change at CAB was Sep 2020 (SC31). You can pretty quickly eliminate the number of potentially bad ICAs by comparing those two dates. For example, Netlock shows a revocation date of June 2020. Even if it was issued the day before revocation, there still wouldn’t be a CAB Forum issue as the revocation date predates the effective date of the ballot.
I think the backdating of ICAs by years is pretty rare though. The Sectigo ICA is the only one I’m aware of that did this. Were there more? Should be pretty easy to determine from the CCADB upload compared to the notBefore date.
Since this is MDSP, the revocation date should be the date added to OneCRL as that’s the Mozilla requirement.
Jeremy