> They were all signed by the same "intermediate" CA, however.
And the expiration of that "intermediate" obviously should have not made already accepted add-ons stop working, in this specific use-case. It's not about establishing a new trusted communication channel for a new content, it's not about disabling some specific add-on.
Thinking logically, that was not the role of that immediate certificate.
So the behavior was clearly designed wrong, because completely wrong analogy was used -- that of creating a connection, where expired intermediate certificate should prevent the new connection, which could an transfer a new attack if not verified. Here the verification already happened, and the "ban" of a specific set of add-ons was also clearly not a case.
Additionally it seems the handling of the update of the expired intermediate was not the topic of the design at all.
