I meant the cross signing. That is the big deal here. And I somehow have this nagging feeling that they were strong armed into the 3 month renewal policy. No other reason to not have yearly renewals.
Even if they do get into Browser roots now, there are hundreds of millions of mobile devices out there that will not accept Letsencrypt without a cross sign. Lets face it Letsencrypt is dead in the water without Identrust (or someone similar).
As mentioned in the other threads, 3 month renewal provides a smaller risk window for compromised domains/certificates.
This is important, considering that certificate revocation is not a universally solved problem, and that Let's Encrypt is aiming to radically increase the amount of certificate issues as a whole.
No strongarming necessary, I'm pretty sure technical considerations ruled the day here.
ACMs roots are cross-signed by Starfield (GoDaddy iirc), while they wait for their inclusion in the browser roots... so I can't see a difference with LetsEncrypt? AFAIK either you have the processes/tech in place to secure your CA and issue certificates, or you don't.
https://mozillacaprogram.secure.force.com/CA/PendingCACertif... shows Mozilla's in-progress certifications -- including LetsEncrypt, Amazon, DocuSign, VISA, a bunch of governments, telcos, existing CAs, and others I don't recognise. Cross-signing is a pragmatic solution for older client devices (eg. abandonware Android phones) for _any_ CA root, new or otherwise.
Even if they do get into Browser roots now, there are hundreds of millions of mobile devices out there that will not accept Letsencrypt without a cross sign. Lets face it Letsencrypt is dead in the water without Identrust (or someone similar).
Its not a bug, it's a feature.