In IoT deployment scenarios it is often expected that the IDevIDs have no maximum validity period. For this purpose the use of a special value for the notAfter date field, the GeneralizedTime value of 99991231235959Z, is utilized. If this is done, then CA certificates and certificates of subordinate CAs cannot have a maximum validity period either. Hence, it requires careful consideration whether it is appropriate to issue IDevID certificates with no maximum validity period.
Michael: One answer is that the RootCA->subordinateCA signatures might be limited, but resigned regularly, assuming that the new signature/certificate can somehow be retrieved by infrastructure that needs to verify it. It's not crazy that industrial IoT operators would receive regular updates. The subordinateCA->IDevID signature can not be replaced in the device, but it could be augumented in some way over time.
Discuss the topic of end-entity certificates with infinite lifetime and the implications for subordinate and CA certificates as well as the impact of algorithm changes and compromised keys.
Michael: One answer is that the RootCA->subordinateCA signatures might be limited, but resigned regularly, assuming that the new signature/certificate can somehow be retrieved by infrastructure that needs to verify it. It's not crazy that industrial IoT operators would receive regular updates. The subordinateCA->IDevID signature can not be replaced in the device, but it could be augumented in some way over time.