Re: Yesterday (1st July), (3rd July)
Someone somewhere thought that Secure Certificates that expire was a good idea.
Expiry of key certificates is a crude way to ensure that old, obsolete, certificates get retired -- it was introduced before key revocation lists became commonplace . The idea is that if we believe that there won't be a practical attack on a given cryptographic key (for a given algorithm and key length) for N years, we can issue a certificate that's valid for no more than N years and can be reasonably confident that the key will be safe to use until after its certificate expires..
Of course, those who issue certificates commercially do so as a business. They make a profit each time they re-issue a certificate, so they have no incentive to sell very long-lived certificates.
Commercial certificates that offer financial guarantees against fraud are backed by insurance, and insurance companies are understandably reluctant to sell long-term policies, especially when the degree of risk increases unpredictably over time as attacks on the algorithm involved become more sophisticated. They want to asses the risk and set a premium for a relatively short term so that they can to set a higher premium or insist on a more secure algorithm on renewal if the degree risk has increased.
I'd suggest, in fact, that certificates should routinely be issued with a predictable short term -- say: one year -- so that updating them became a routine, well-understood, and unsurprising process.