alt Hacker NewsAnd no one can even give a concrete answer why root certificates need expiration dates. It's just because reasons.
IMO the whole PKI thing is a terrible idea to begin with. It would make much more sense to tie the trust in TLS to DNS somehow, since the certificates themselves depend on domains anyway. Then you would only have a single root of trust, and that would be your DNS provider (or the root servers). And nothing will expire ever again.
Replies
Certificates need expiration dates to be able to garbage collect certificate revocation lists.
Root certificates need expiration dates for the same reason that LetsEncrypt certs need an expiration date: risk of cert compromise and forgery increases over time.
Over a long enough timeline, there will be vulns discovered in so much of the software that guards the CA certs in RAM
The instant we bound encrypted connections with identity we failed. And decades later we're still living with the mistake.
I'm completely serious when we need to abandon the ID verification part of certificates. That's an entirely separate problem from encryption protocol. An encryption protocol needs absolutely no expiration date, it's useful until it's broken, and no one can predict that. Identity should be verified in a separate path.