What does he mean with CA's that don't belong there? When does a CA belong there and when it doesn't? Does it mean if it's from Korea, it automatically doesn't belong there? Article also fails to explain what's malicious about these CA's.
Also, I think you have to manually confirm as a user to install such certificates.
Maybe I am missing something, but this smells like "Korea Bad" without explaining why.
In fact, the article does explain this. The CAs that are on this list by default have to comply with strict criteria making sure they cannot be abused. Anything that has been added externally, avoiding the usual processes of Microsoft/Mozilla/Apple, is suspect.
I know very little about certificates and online security, but I'm also kind of baffled by the expiration time of the iniLINE certificate (2018-10-10 to 2099-12-31). I feel that's also a poor practice, right? What should a regular expiration time be for a proper root certificate?
There's no authority above root certificates,* able to sign new certificates - that's what it means to be a root certificate. So root certificates will often have super long durations.
For example, the certificate HN uses is signed by "DigiCert Global Root CA" - valid from 2006 to 2031.
* Unless you count the power of OSes/browsers to push updates with new certificates.
Also, I think you have to manually confirm as a user to install such certificates.
Maybe I am missing something, but this smells like "Korea Bad" without explaining why.