I suspect it's to limit how long a malicious or compromised CA can impact security.
Equivalently, it also maximizes the number of sites impacted when a CA is compromised.
It also lowers the amount of time it’d take for a top-down change to compromise all outstanding certificates. (Which would seen paranoid if this wasn’t 2025.)
Mostly this. Today of a big CA is caught breaking the rules, actually enforcing repairs (eg prompt revocation ) is a hard pill to swallow.
I think op is asking has there been many real case scenarios in practice that pushed for this change?
Equivalently, it also maximizes the number of sites impacted when a CA is compromised.
It also lowers the amount of time it’d take for a top-down change to compromise all outstanding certificates. (Which would seen paranoid if this wasn’t 2025.)
Mostly this. Today of a big CA is caught breaking the rules, actually enforcing repairs (eg prompt revocation ) is a hard pill to swallow.
I think op is asking has there been many real case scenarios in practice that pushed for this change?