Sysadmin

One issue is that browsers and other clients have a difficult time handling certificate revocation. Let's Encrypt is stopping support for OCSP, and that had a lot of privacy implications where a CA could tell who is going to what site, based on the requests to check certificate revocation. Let's Encrypt is moving to CRLs, but the size of the CRL is very large the more certificates you have. For Let's Encrypt with only a 90 day validity period, their CRL is smaller than a CA which has certificates as much as 398 days old.

The size of the CRL is something not only CAs have to manage, on the client side, you may have to check a 10MB file to see if the certificate for the site you're connecting to is still trusted by the CA. With many CAs, these CRLs will take up a lot of space on disk, and need to be updated often. Mozilla published a system called CRLite which uses Cascading Bloom Filters to keep track of revoked certificates in the browser, which will save a lot of space. Having a constrained set of revoked certificates is useful to ensure the bloomfilter won't be too large for the browser to store and manage.