what if ssl certificates never expired

@kemona_halftau anyone who had ever owned a domain and issued a TLS cert for it (or stolen one) would be able to impersonate any future owner forever (or until the crypto becomes so outdated software stops accepting it) because nobody checks revocation lists

@kemona_halftau with TOFU (like for SSH keys) it could work better, but the validation of ownership done by CAs kind-of needs to expire

@kemona_halftau

If the notAfter is set to 99991231235959Z, that's exactly what you get: a non-expiring certificate.