> including attackers that mislead CAs into misissuing a cert.
I thought we had CT for this.
> CAs used to be able to use WHOIS for DCV. The fact that this option was taken away from everyone is good.
Fair.
> It's the same with this change, and you have plenty of time to prepare for it.
Not so sure on this one, I think it's basically a result of a security "purity spiral". Yes, it will achieve better certificate hygiene, but it will also create a lot of security busywork that could be better spent in other parts of the ecosystem that have much worse problems. The decision to make something opt-in mandatory forcibly allocates other people's labour.
CT definitely helps, but not everyone monitors it. This is an area where I still need to improve. But even if you detect a misissued cert, it can not reliably be revoked with OCSP/CRL.
--
The maximum cert lifetime will gradually go down. The CA/B forum could adjust the timeline if big challenges are uncovered.
I doubt they expect this to be necessary. I suspect that companies will discover that automation is already possible for their systems and that new solutions will be developed for most remaining gaps, in part because of this announced timeline.
This will save people time in the long run. It is forced upon you, and that's frustrating, but you do have nearly a year before the first change. It's not going down to 47 days in one go.
I'm not saying that no one will renew certificates manually every month. I do think it'll be rare, and even more rare for there to be a technical reason for it.