Thanks for the honest feedback. You’re right that I haven’t been responding in this thread as often as I should, given how important this issue is to so many people. I have been reading and considering every post. I haven’t yet taken the issue to the TAB. I’ve been preoccupied mostly with other post-launch issues like improving our rate limits and renewal emails, and getting XP support working. I’ll bring it to them in the next few weeks.
Personally: After 4 months of experience, I feel that the 90-day lifetime has been very helpful so far. Most clients appear to be implementing automated renewals, which is great. I think that would be less likely if the clients could request longer lifetimes, and the author could postpone implementation of autorenewal until late 2016. Relatedly, we’ve found some issues that people have had at renewal time, and we’ve been improving the service to work around those issues. In a world of 365-day lifetimes, we may not have discovered those issues so quickly.
Relatedly, the fix for the Windows XP problem is going to involve deploying a new intermediate certificate. With 90-day certs, we can be confident that within 90 days, all currently-valid Let’s Encrypt certificates will be using the new, improved intermediate, and all those sites will be compatible with Windows XP. This type of transition would take much longer if some of our certificates were for a year or longer.
As @cool110 said, I think the HPKP / DANE use case is adequately addressed by requesting the same key at renewal time.
Believe me, I feel this pain. I recently advised a friend to pay(!) for a certificate from her shared hosting company, because they don’t yet support Let’s Encrypt, and the process of manually issuing certificates from Let’s Encrypt and uploading them to the web interface would have been too time consuming and tedious. Of course, I didn’t like making that recommendation when I work on Let’s Encrypt.
However, if she only had to generate and upload a certificate once a year, that would not be an improvement. It would still mean learning an arcane skill that takes away time from much more important work that she would otherwise be doing. In a year, if people are still copying and pasting keys and certs into hosting control panels, that doesn’t look like success to me. Success, in the shared hosting side, will be when a large number of providers implement automatic Let’s Encrypt issuance for all sites, with no configuration needed. Longer lifetimes don’t help us get there, and may even make it harder to get there.