In theory, you can add some more complexity/fragility and have 'time notaries' sign the current time together with a challenge from the passport, verifiable against embedded public keys.

Driveby bricking of passports, coming to an airport near you!

German id cards essentially record the newest issuance timestamp seen; then they block certificates that expired prior to this recorded value.

So one erroneously issued certificate can brick every ID card in the country?

Pretty much. But you would need, first, to issue a valid certificate with a timestamp far ahead in the future. And then expose every ID card in the country to it.