[ikeboy]

You just made me wonder what happens if you have a cert but let the name expire. Can you MITM your old domain until the cert expires?

[icebraining]

Sure, if you can get the client to connect through your machine.

[ikeboy]

If that's the case, shouldn't all certs only be valid until the domain expires, and all domain name sales should require revocation of all certs?

[icebraining]

Sure, but how do you enforce the latter?

[ikeboy]

The latter can't be enforced, but individual buyers can demand that for all known certs.

And I think you can currently get certs expiring later than the domain, which seems wrong to me. Is there a good justification for that?