I can understand the purpose behind the expiration dates on the SSL certificates you get issued for your domain — domains change hands, things happen. But why do root certificates have to expire at all? Relying on the system to be updatable and requiring constant maintenance doesn't feel very sustainable, and generally causes all kinds of problems. Modern Android versions treating user-installed root CAs as second-class don't exactly instill confidence either.