So, the intended behavior is that FF does not check any Add-on related cert for a valid date range? In that case, what prevents an insider threat of a Mozilla employee signing malicious add-ons with an out-of-date cert?
When you sign software with certificates that can expire, you run into the problem that software can stop working with no change on the user's end whatsoever. And of course, the shorter the expiry on code-signing certificates, the worse this problem becomes.
The solution for systems like Java and Authenticode is for Certificate Authorities to also offer a 'Trusted Timestamping' service, which certifies that the software existed at a time when the code-signing certificate was valid.
In Java's case, as the CA providing the timestamp is already trusted issue code-signing certificates with arbitrary dates, this doesn't add any new trusted parties.
