Is there no-one on the Chromium team who knows about #OCSP stapling? Or does Google not like having to keep OCSP responses for stapling in their servers? https://www.chromium.org/Home/chromium-security/root-ca-policy/moving-forward-together/
They say they want to reduce #TLS certificate lifetimes because there's no good revocation mechanism, and all the problems they mention could be solved by strictly requiring stapling with the TLS feature extension in certificates (using RFC 7633). Stapling doesn't place a huge burden on CAs (because only the server using a certificate has to update its cached response now and then), it doesn't expose client behavior to CAs (because clients only need to talk to servers they want to talk to), and if stapling is required by the certificate it fails closed in case of revocation as soon as the last positive response expires (currently CAs usually issue responses with a lifetime of about a week, but that could be reduced easily).
Shorter certificate lifetimes aren't necessarily a bad thing, but the reasoning doesn't make sense.
GNU social JP is a social network, courtesy of GNU social JP管理人. It runs on GNU social, version 2.0.2-dev, available under the GNU Affero General Public License.
All GNU social JP content and data are available under the Creative Commons Attribution 3.0 license.