One Year Certificate Validity is about to be on the ballot again
A planned CA/B Forum ballot would cap the max validity of SSL certificates at 397 days, stop me if you’ve heard this one before: the max validity for SSL/TLS certificates could be shortened in the near future. Once it was eight, then five, then three, then two. Now it could be one.
In the coming days or weeks Google’s Ryan Sleevi will introduce a ballot at the CA/B Forum that will cap the maximum validity for SSL/TLS certificates at just one year starting in March 2020. This isn’t the first time this initiative has come up, and if it doesn’t succeed it’s undoubtedly not the last time, either.
So, today we’re going to talk about certificate lifespans, max validity and what this CA/B Forum ballot can tell us about the direction the industry is headed in the future.
Let’s hash it out.
One year max validity
The digital certificate industry, for all intents and purposes, consists of two collaborative parties. Collaborative being, perhaps a bit generous, but let’s stick to the script. On one side you have the browser community, which actually has to use the digital certificates as they shepherd their customers around the internet and then you have the Certificate Authorities, which are responsible for issuing those certificates and validating the entities they’re issuing them to.
Generally, when you discuss a topic like shortening the max validity of those digital certificates, the obvious assumption would be that it’s the CAs that are driving it. Shorter lifespans means more certificates issued. But before the CAs are accused of… well, practicing capitalism – this isn’t their idea.
This comes from the browsers and as we alluded to, it’s not the first time, either. This measure was first introduced a few years ago and was soundly defeated by the CAs. Instead, a compromise was struck and certificate validity was only reduced to two years.
It will be interesting to see whether or not the CA community continues to resist this measure when Sleevi introduces his ballot in the coming weeks. You get the sense that the CAs are resigned to the fact that at some point this is going to happen. It’s just whether the time is now. We went ahead and reached out to a few of our Certificate Authority partners, specifically DigiCert and Sectigo – the two largest CAs – to get their thoughts. Provided they don’t mind us sharing them, we’ll update this post accordingly.
Either way, this measure looks to have the support of the major browsers, Mozilla, Microsoft, Apple and obviously Google (where Sleevi works). The researcher community is in favor, too. It hinges on the CAs. Probably.
Why do many in the infosec community want shorter validity?
The issue at stake is one of security. Google counts the maximum amount of time validation information remains viable in weeks, not months or years and that’s going to be one of the lesser-advertised offshoots of this ballot. The last time certificate lifespans were discussed, the final decision on validation information was this:
On or after March 1, 2018, the CA obtained the data or document from a source specified under Section 3.2 or completed the validation itself no more than 825 days prior to issuing the Certificate.
The new time-frame would be a little less than half that:
(1) On or after March 1, 2020, the CA obtained the data or document from a source specified under Section 3.2 or completed the validation itself no more than 397 days prior to issuing the Certificate…
This last portion is what could be contentious with the CAs.
How contentious is this going to be?
Before we go any further, we’re happy to go on the record and say we’re completely agnostic about this. In general, we favor shorter lifespans and obviously we support improving security – but there’s a little more going on here than just certificate lifespans.
In fact, this could throw the efficacy of the CA/B Forum itself, or rather the lack thereof, into sharp relief.
Here’s why, if the CAs vote this measure down, there’s a chance the browsers could act unilaterally and just force the change anyway. That’s not without precedent, but it’s also never happened on an issue that is traditionally as collegial as this.
If it does, it becomes fair to ask what the point of the CA/B Forum even is. Because at that point the browsers would basically be ruling by decree and the entire exercise would just be a farce.
There are already murmurs about the usefulness of the Forum, especially when root programs like the one run by Mozilla have their own standards independent of the CA/B Forum Baseline Requirements.
In theory the CA/B Forum is a great idea, but if everyone is just going to do what they want anyway it truly does beg the question – what’s the point?
Granted, that’s an issue that looms over every piece of business the CA/B Forum conducts, it is not exclusive to the certificate validity debate. Frankly, there may not be much of a debate at all, this could pass with muster. It’s just worth pointing out that it has the potential to kick up some other problems if it doesn’t.