> the asymptotic end game would be that every TLS connection requires an online handshake with Connection Authorities to validate the server identity synchronously, right?
The article notes this explicitly: the goal here is to reduce the number of online CA connections needed. Reducing certificate lifetimes is done explicitly with the goal of reducing the Web PKI's dependence on OCSP for revocation, which currently has the online behavior you're worried about here.
(There's no asymptotic benefit to extremely short-lived certificates: they'd be much harder to audit, and would be much harder to write scalable transparency schemes for. Something around a week is probably the sweet spot.)
I understand the optimization curve you are talking about. But, my coffee and I think my answer is more accurate as the theoretical asymptote as you reduce certificate lifetimes... you can never really have a zero lifetime certificate in a TLS connection, but you can reduce it to the handshake sequence necessary to establish the connection and its authenticated symmetric cipher.
Yes. But the point is that isn’t going to happen. It would directly undermine the goal of eliminating the stability and scaling issues with OCSP.