Re: Would be really nice
Even better if they _reduced_ the default (and maximum) lifetime to 5 days. This would have several effects:
- Firstly, they wouldn't have to do anything in order to meet their five day deadline (because all the affected certificates would expire anyway.
- Secondly, even lazy verifiers that don't bother checking the CRL/OCSP will pick up the cancellation.
- Thirdly, _everybody_ would have to automate their certificate renewals (like you should anyway, but the automation may not handle an out-of-cycle renewal).
The only downsides I can see are:
- Let's Encrypt would need a _lot_ more servers. (Renewing every ?3? days instead of every ?80? is an almost 30-fold increase). (But they don't need to support CRL or OCSP.)
- If someone could take Let's Encrypt offline for a few days, it would wipe out a large chunk of the web.