> To clarify, this is the limit for how long they can be to be considered valid.
to be fair, there's already a the concept of certificate revocation list and OCSP (on-line certificate status protocol) that helps in order to check the validity of a certificate (that is, whether it has been revoked or not).
While short-lived certificates are fine for letsencrypt, pushing the same for the rest of the world looks a bit like an abuse to me.
The problem with certificate revocation is that a lot of software treats it as a soft-fail if revocation status can't be verified, rather than a hard fail.
That is one of the main reasons for LE's short lifespan. Certificate revocation is not reliable in practice.
to be fair, there's already a the concept of certificate revocation list and OCSP (on-line certificate status protocol) that helps in order to check the validity of a certificate (that is, whether it has been revoked or not).
While short-lived certificates are fine for letsencrypt, pushing the same for the rest of the world looks a bit like an abuse to me.