We’re hardly suffering. Three months is a very practical compromise balancing security and maintenance. And when automated (as most users do) the process requires virtually no maintenance at all. I basically run my eyes over a weekly cron email to see if anything requires attention. It’s not exactly something I “suffer” through.
Yes, ideally the sysadmin should be solely responsible. However in the real world, Let’s Encrypt’s target audience are non-professionals, hobbyists and small businesses. These are users and administrators that have very little skill in hardening their systems, much less identifying system compromises and knowing what actions to take in response.
Just look at the very example you quoted but ignored - heartbleed. This was a major security flaw in a huge number of servers around the world, yet it took a very long time for fixes to be implemented. Months after the issue was identified and patched there were still hundreds of thousands of vulnerable servers.
Even if you wanted to fix heartbleed and you patched your system, amateur and inexperienced sysadmins might not think to regenerate SSL certificates. Short cert lifetimes ensure these problem do not persist for years.
Tension? Really? And why would visitors see an insecure warning? Don’t you maintain your site properly?
Your “arguments” are hyperbole at best. There is absolutely no reason to implement a system that you’re incapable of maintaining. This site and it’s discussions contain plenty of support when it comes to automating renewal. There are many renewal methods, many clients that support various authentication methods, options for when you don’t have root, options for cert locations, and you get multiple reminder emails before expiry in case you haven’t automated the process.
If this causes you “tension”, perhaps you should try another career path.
I can’t facepalm this comment enough. Yes, Let’s Encrypt’s key goal of securing the web means they literally want every website visitor to see insecure site warnings after 90 days.
Offering certificates for longer than a year is a security issue. SSL Labs will actually downgrade your security if your certificate has an extremely long expiry. But being the security expert, you knew that already, right?
Even My1 disagrees with you. That’s how embarrassingly wrong your post is.