I don't see why it would; the same basic requirements around CT apply regardless of certificate longevity. Any CA caught enabling this kind of MITM would be subject to expedient removal from browser root programs, but with the added benefit that their malfeasance would be self-healing over a much shorter period than was traditionally allowed.

lol no? lower cert times still extend the root certificates that are already trusted. It is not a noticeable thing when browsing the web as a user.

A MITM cert would need to be manually trusted, which is a completely different thing.

I think their point is that a hypothetical connection-specific cert would make it difficult/impossible to compare your cert with anybody else to be able to find out that it happened. A CA could be backdoored but only “tapped” for some high-value target to diminish the chance of burning the access.

> I think their point is that a hypothetical connection-specific cert would make it difficult/impossible to compare your cert with anybody else to be able to find out that it happened.

This is already the case; CT doesn't rely on your specific served cert being comparable with others, but all certs for a ___domain being monitorable and auditable.

(This does, however, point to a current problem: more companies should be monitoring CT than are currently.)

Well, the cert can still be compared to what's in the CT Log for this purpose.

Yes, precisely.