(no title)

Managing certificates for 3rd party domains through DNS validation is inherently going to be slow because you're at the mercy of those clients, their IT teams and change-control process.

If the only "correct" way is to have fully automatic certificate provisioning (like via HTTP challenge) so that certificates can be reliably replaced within 24 hours of an incident, then the CA/B Forum should make a rule to enforce that. As it is, they allow up to a year on certificates, which sends the opposite message.

Moreover, with regard to risk, you're assuming a priori that PKI-related risks trump all other risks, but that simply does not seem logical: the risk of an outage depends on the sector and the difference in risk between a 1 day and 5 day revocation period, for example, may well be less than the risk assigned to the outage.

If this isn't the case, then the CA/B forum needs to reduce the maximum lifetime of certificates to 1 day so we can be sure all parties are able to meet the revocation window.