2024-10-15
Apple and Google Want Shorter Certificate Lifecycles
Apple has proposed significantly reducing the length of time that SSL/TLS certificates remain valid. Currently, the certificates are valid for 398 days; Apple's proposal describes a gradual reduction in the length of certificate lifecycles, ending with a 45 day validity period by 2027. Similarly, Google plans 'to study the impact of reducing domain validation reuse periods to 90 days or less.' Sysadmins have made known their unhappiness with the plans.
Editor's Note
This change has been discussed for about a year now. It is important to automate certificate renewals, if possible with standard protocols like ACME. Some certificate authorities may also offer their own solutions, but be careful before you lock yourself into a proprietary solution.
Johannes Ullrich
The CA Browser Forum has now been around for almost 20 years and has always been slow to make needed progress in making an SSL trust chain actually trustable. In 2011, compromise of a Comodo affiliate Registration Authority resulted in bogus certificates being issued for domains at Yahoo, Google, Skype, Mozilla and others. This pointed out how weak the strength of registration validation was, and in 2014 the Heartbleed OpenSSL vulnerability was discovered and we saw how badly certificate revocation was handled. The changes recommended are long overdue. Imagine if we said 'Let's only patch Windows once every 398 days because sys admins are complaining.' CIOs like to talk about rapid development and CI/CD pipelines - if IT operations can really do that they should be able to patch operating systems every 2 weeks and renew certificates every 45 days by 2027.
John Pescatore
With the advent of Let's Encrypt, I would say this is an excellent idea for a large set of websites on the internet. Where this is problematic are protocols that live outside of the web. Some certificates are used internally between services in various places. One example is 802.1X/NAC with EAP and EAP-TLS. Another example is Smart Cards. There are just some places where renewing certificates is more problematic and impactful. Let's do this where we can and consider something longer-term where we cannot.
Moses Frost
There will have to be agreement on duration: 90, 45, etc. Shorter lifetime reduces the amount of time a compromised certificate can be used, reducing risk and improving security. This will also require automation as we're busy putting certificates on endpoints, mobile devices, and about any service which supports it, and there is no good way continue manual updates. Let's Encrypt already only issues 90-day certificates. Even with 398-day expirations, start automating certificate updates; your future self, who isn't getting the expired certificate ticket, will thank you.
Lee Neely
Read more in
GitHub: SC-081: Introduce Schedule of Reducing Validity and Data Reuse Periods #553
Chromium: Moving Forward, Together
The Register: Sysadmins rage over Apple's 'nightmarish' SSL/TLS cert lifespan cuts