I strongly agree on the limiting certificate lifetime, if, and only if there is a reliable method of automating certificate renewal. And there is one.
Both website admins and visitors care only about one thing - is current certificate of the website they are visiting valid NOW? If it is, then everything is fine and there is nothing more to worry about. As website admin, I don’t care whether my certificates are valid for 6 months or 3 years. Why should I? All my certificates must be valid NOW. That’s all.
It was mentioned many times before that certificates with longer validity can present a security risk and certificates with an extremely long lifetime (like 100 years) present extremely high risk. I am OK with that. Let’s Encrypt says certificate should be valid for 90 days? Fine! That means that I have to renew all my certificates every 60 days. Is that a problem? Not at all, because all I need is a tool that does it automatically.
On my server I use my own script which checks and renews all certificates automatically when needed (see here). There is no magic there, it just works and it is a very simple script. Anyone could write a script like that, or even a better one. Just run it once daily via cron and forget about certificate lifetime - all your certificates are going to be always up-to-date. Congratulations to people from Let’s Encrypt, they have managed to create a way to automate everything. No more manual fiddling with CSRs, confirmation emails, copying/pasting keys and all that nightmare. It’s gone. Forever.
So this is my point - once you setup automatic certificate renewal on your server, the whole debate on the certificate lifetime becomes completely pointless. Let’s Encrypt says the lifetime should be 90 days? So be it, I don’t care anymore.