thats just fucking wonderful.
I bet the next rule change they make is that no entity will be permitted to renew a certificate if its been hacked, and doesn't have a clean statement of health from Mandiant.
I'm going to reconfigure my internal sub-CA to start giving out certificates that expire in 2030 (which is when my sub-CA cert expires.) Between now and 2030, I'll generate a new root CA and give it a 50 year lifetime and my new sub-CA will get a 25 year lifetime and just one more round of certificates and i'll be retired before they expire again.
The browser/CA forum are solving the wrong problem. We all know this, but it doesn't help that they don't have the power or ability to solve the underlying problem.
p.s. Are they going to shorten the CA certificate lifetimes as well? What about the DNSSEC root key lifetimes?