Hi
On the FAQ about why only 90 days lifetime is offered I think the important argument is missing.
Q: Why can't certificate lifetime be 100 years?
A: With a longer lifetime the revocation list will grow to a huge amount which will be difficult to administer for both Let's Encrypt and the system administrators.
I've moved your thread to the Site Feedback category where I think it's more appropriate, as it doesn't seem to be a request for Help.
Also, currently certificates are forbidden to be valid for longer than 398 days by the CA/Browser Forum Baseline Requirements. So there's that.
Welcome back, chlor!
In fact, the revocation list argument only sort of applies: in general, the maximum size of a revocation list is exactly equal to the number of currently-valid certificates. And the number of currently-valid certificates is approximately equal to the number of websites using our certificates. The number of websites using our certificates doesn't change if those certificates are valid for 10 days, 90 days, or a whole year -- the longer the certificate lifetime, the longer folks wait before renewing their cert. So the total population of certificates (and therefore the maximum size of a revocation list) doesn't meaningfully change.
There are of course exceptions: if there's an incident that requires a mass revocation event, then it's nice for all of those revoked-and-replaced certificates to fall off the revocation list sooner rather than later. But in the steady state, revocation list size is more correlated with the CA's popularity than with the CA's certificate lifetime.
But the average of valid certificates per site does change. For 90 days cert renewing at 30 days, the average certificate per site would be like 1β certs, right? But for a 180 day cert it would be, on average, 1β certs per site.
That could be quite a difference in total valid certs if you compare 30 days vs. 300 days.
Your argument is only valid if the new cert is issued just as the old one expires.
(Apologies, this is getting a bit in the weeds, and away from the original topic of this thread, but:)
Not quite. The argument holds as long as all certificates are renewed the same percentage of the way through their lifetime. Which is exactly what we do recommend: we don't tell people to renew 30 days before expiration, we tell them to renew 2/3rds of the way through the lifetime of their certificate. So the average number of certificates per site would be 1β regardless of the certificate lifetime.
If you recommend that, sure. It's just a little bit silly to renew 100 days till expiry in my opinion 