In fact, the article does explain this. The CAs that are on this list by default have to comply with strict criteria making sure they cannot be abused. Anything that has been added externally, avoiding the usual processes of Microsoft/Mozilla/Apple, is suspect.
I know very little about certificates and online security, but I'm also kind of baffled by the expiration time of the iniLINE certificate (2018-10-10 to 2099-12-31). I feel that's also a poor practice, right? What should a regular expiration time be for a proper root certificate?
There's no authority above root certificates,* able to sign new certificates - that's what it means to be a root certificate. So root certificates will often have super long durations.
For example, the certificate HN uses is signed by "DigiCert Global Root CA" - valid from 2006 to 2031.
* Unless you count the power of OSes/browsers to push updates with new certificates.
In fact, the article does explain this. The CAs that are on this list by default have to comply with strict criteria making sure they cannot be abused. Anything that has been added externally, avoiding the usual processes of Microsoft/Mozilla/Apple, is suspect.