I've read the parts of RFC 2459 (Internet X.509 Public Key Infrastructure Certificate and CRL Profile) that I believed to be relevant to this question. However, I'm not totally clear on what the purpose of the validity period (specifically the expiration date) of the certificate is.
It's my understanding that the purpose of a certificate is to bind a public key to an identity in a way that can be verified (in X.509, through a certificate authority, or in OpenPGP, through a web of trust). Therefore, it seems to me like a certificate would be valid from the time it is created until the time the corresponding private key is compromised (or an employee is fired, or whatever), in which case it would be put on a certificate revocation list (I believe).
Under what circumstances is this not true? Why would the binding of an identity to a public key suddenly become invalid? I know that most certificate authorities are commercial enterprises and therefore it would be profitable to have a recurring fee, but I'm making an open source project that simply generates certificates (at no cost) that bind a username on the server to a public key, and the password of the user is used to verify his identity to the CA (which, of course, stores his hashed password).
The idea is to reduce the window of opportunity in case the private key gets compromised. Revocation is possible only if the compromised party is aware of that. Also, the existing revocation mechanisms are not completely reliable, so it's good to have a fixed expiration date.