[newscracker]

This brings in the question of how long the client certificate would be valid for and how it would be renewed before expiry. If sending a tech costs a good sum of money, one may be tempted to use certificates that are valid for decades, which may or may not be a good idea depending on the client environment, advances in cracking some algorithms or proving collisions in hashing, and business related factors.

[scriptkiddy]

Cert renewal can be automated the same way letsencrypt does it for instance.

[icebraining]

Let's Encrypt validates during each renewal if the server still controls the DNS and/or HTTP endpoint. The point of the limited duration is to ensure that an attacker who got a copy of the certificate, but who doesn't control the DNS or HTTP endpoint, can't keep using it for long.

In this case, I don't see any automated check that can verify that the client trying to renew the cert is the original device, so there's no point in limiting the lifetime of the certificate, unless you send a person to do that verification manually.

[scriptkiddy]

That is an interesting limitation. I'm sure there is some way to get around it. However, I'm not a network security expert. I just thought using SSL certs for authentication was an interesting idea.