I wonder, why was so much certificates scheduled for revocation?
Remember, the bug ONLY applied to those that had a previous authorization, that was more than 8 hours old prior to issuance, where there was a CAA rechecking bug.
This means, that ALL certificates, that were issued within 8 hours from all approved authorizations, should be unaffected, since even with the bug that was against the policy, issuance would be allowed without rechecking at all, the original CAA check is still valid.
And what I know, Lets Encrypt has a log of all authorizations that is stored until the certificate’s lifetime atleast, because they are required to show that authorizations happened if a legal case happens where someone complains of a fraudulently issued certificate.
Thus Letencrypt should be able to parse that log, and only pick the certificates that has more than 8 hours apart from authorization and issuance for atleast one of the domains, if im right. And most Lets Encrypt clients, DO issue immidiately after authorizating, which means there should not be any delay there.
Or what are the problem of just picking those certificates?
It seems that Lets Encrypt have picked all certificates that were issued at the time of when the bug was present in the system, regardless of when authorizations happened.