I think next we should set maximum lifetime of public CAs to double of this value. Then we can also protect against failures there.