Comment by duskwuff
When Let's Encrypt got started in 2014, CAs could issue certificates valid for up to five years - and many did. The CA/Browser Forum has slowly been ratcheting that down.
When Let's Encrypt got started in 2014, CAs could issue certificates valid for up to five years - and many did. The CA/Browser Forum has slowly been ratcheting that down.
That (five year certs) was technically true, but the CA/B BRs already told you that was going away in 2015 when Let's Encrypt was started. I don't know how many were still actually selling such a product by the point Let's Encrypt is on the scene.
I think the drop-dead date for this product was like April 2015 or so. The ideal customer for a product like this (lazy and also incompetent but with plenty of money) is also likely to leave it too late. I won't guarantee we'd have caught that, but unlike forbidden steps taken to avert a bigger mess of ones own making (as happened for SHA-1 deprecation, some notable financial outfits secured certs which should not have existed, to cover for the fact they hadn't properly managed their own technical risks) this seems like a product category thing, nobody was openly selling certs that would just break in Chrome, that's a bad product.
[Why would such certificates break in Chrome? Google hate these long lived certs so Chrome treats certificates which have validity exceeding what the BRs authorise as immediately invalid, if you want to moan to Google about why your prohibited certs don't work you're basically admitting you violated your agreement with them so it's like showing up to claim your stolen rucksack full of cocaine from the cops...]