Hi Kiwamoto,
I'm one of the engineers who worked on the ARI integration here at Let's Encrypt. Thank you for reaching out, and we greatly appreciate your consideration of adopting ARI for your renewals!
Before diving into details about how we use ARI, I'd like to address a point you mentioned:
We would certainly ALSO be able to double-check if the cert is truly being revoked by following up a call to ARI with a subsequent OCSP query...
While checking OCSP is an excellent way to determine if a certificate has already been revoked, it won't tell you about an impending revocation.
Can we solve 2 problems with 1 API call for each active certificate?
Yes, you can indeed address both problems with a single API call. When you use the renewalInfo endpoint, we check if the certificate is currently revoked or affected by an ongoing incident (i.e., about to be revoked). If either of these is the case, we return a suggested renewal window in the past, advising immediate renewal. If not, we provide an ideal suggested renewal window in the future.
As a kind of added bonus, if you renew based on ARI's recommendations and include the ARI certificate identifier in the replaces field of your replacement order, we will exempt your order from all rate limits. This and more is discussed in a blog post I published a little while back: An Engineer’s Guide to Integrating ARI into Existing ACME Clients - Let's Encrypt