For sure. Add to the fact that in every crypto-library I’ve used, you can’t tell it to ignore the expiration date without also ignoring actually harmful certificates, and this is what you end up with. If devs could just say: yeah we are not ever going to update the certificate, I’d be ok with that. An expired certificate is not inherently untrustworthy, it should just mean that it can’t sign anything. They’d then die of their own accord or be revoked.
Tin foil hat: To me, it smells more like CA’s wanted to make some cash by forcing their customers to buy certificates every so often instead of actually solving the problem and are now being bitten by their own rules.
Tin foil hat: To me, it smells more like CA’s wanted to make some cash by forcing their customers to buy certificates every so often instead of actually solving the problem and are now being bitten by their own rules.