Re: What problem are the certificates solving?
But the problem is fundamental: in some way or other, the client needs to verify that the server it's sending credentials to is actually the server it meant to send those credentials to and not some other server that's stealing those credentials.
There are all sorts of ways that that verification could be done and PKI certificates are only one of them; but they are a good choice for it precisely because they have a chain of trust with differing expiry intervals. The root certificate, which allows you to verify servers, expires rarely and the security precautions around it are extreme; the server certificate expires often but that doesn't matter because the client doesn't need to be updated when the server certificate is updated.
Anything you can suggest to replace that is almost certain to be worse.
Biting the hand that feeds IT
