Why infamous Addtrust certificate is still not expired (same private key) for code signing?
As many of you know Addtrust certificate https://crt.sh/?id=1 expired 30 May 2020 as well as many other intermediate certs and now we have to update certs on many servers to either root cert https://crt.sh/?id=1199354 or using another chain with above mentioned root (same private key) as intermediate https://crt.sh/?id=1282303295 signed with another root https://crt.sh/?id=331986. This is all good according to RFC 4158. The same BTW about ECC keys.
But what I do not understand is how is this possible that expired root Addtrust key https://crt.sh/?id=1 has one still valid certificate https://crt.sh/?id=162879063 for code signing from Microsoft? You can click on "Subject Public Key Info:" to find all other keys with same private/public key pair. So, can we use it for web or it is only for binaries signing and Microsoft Code Verification Root SHA1 is not trusted for web https://crt.sh/?id=162461728 (actually if you will download it http://www.microsoft.com/pki/certs/MicrosoftCodeVerifRoot.crt Windows will say it is not trusted)? Should not it be revoked???
