Let’s Encrypt is sticking with the 90 day expiration period on certs:
1. They limit damage from key compromise and mis-issuance. Stolen keys and mis-issued certificates are valid for a shorter period of time.
2. They encourage automation, which is absolutely essential for ease-of-use. If we’re going to move the entire Web to HTTPS, we can’t continue to expect system administrators to manually handle renewals. Once issuance and renewal are automated, shorter lifetimes won’t be any less convenience than longer ones.
This doesn’t really sell me on the choice of a 90 day period. That is more than enough time for a compromised key to do loads of damage. On the automation front having solid APIs will do more to promote automation than a shorter certificate times.
Perhaps I’m too stuck in my ways, having used one year certs for a long time now. I’m still hopeful that Let’s Encrypt will be successful.