> You're telling me that the intended behavior is that FF allows add-ons signed by an expired cert?
The leaf certificate is specific to a particular instance of an addon. Firefox has a separate, more flexible capability called the blocklist that can disable individual addons. Since the blocklist exists, enforcing expiration dates on the leaf certificates wouldn't help in any way, but it would require re-signing and re-distributing all addons periodically. So, yes it was a deliberate decision to ignore expiration dates on leaf certificates.
> If that is the case, then what is the point of the signing system in the first place?
The leaf certificate is specific to a particular instance of an addon. Firefox has a separate, more flexible capability called the blocklist that can disable individual addons. Since the blocklist exists, enforcing expiration dates on the leaf certificates wouldn't help in any way, but it would require re-signing and re-distributing all addons periodically. So, yes it was a deliberate decision to ignore expiration dates on leaf certificates.
> If that is the case, then what is the point of the signing system in the first place?
I'm not sure if this was meant literally or not but it is outlined here: https://blog.mozilla.org/addons/2015/04/15/the-case-for-exte...