CA / B Forum Voted Against Shortening SSL Certificates to 397 Days
On July 26, 2019, Google came up with a proposal to reduce the maximum validity period of server SSL / TLS certificates from the current 825 days to 397 days (about 13 months), i.e. by about half. Google believes that only full automation of actions with certificates will help get rid of current security problems, which are often explained by the human factor. Therefore, ideally, you should strive for the automated issuance of short-lived certificates.
The question was put to a vote by the CA / Browser Forum (CABF) organization, which sets requirements for SSL / TLS certificates, including the maximum validity period.
And on September 10, the results were announced : members of the consortium voted against the proposal.
According to the rules of the CA / Browser Forum, to make a positive decision, two-thirds of certificate publishers and 50% plus one vote among consumers must vote for it.
Digicert representatives apologized for missing the vote, where they would vote in favor of shortening the validity of the certificates. They point out that for some customers, shortening their validity period can be a problem, but in the long run it provides security benefits.
One way or another, but the industry is not yet ready to shorten the validity of certificates and completely switch to automated solutions. Certificate authorities themselves can offer such services, but many customers have not yet implemented automation. Therefore, the reduction of time to 397 days is postponed. But the question remains open.
Now Google can try to implement the standard "force", as was the case with the Certificate Transparency protocol. Moreover, other developers support it: Apple, Microsoft, Mozilla and Opera.
Recall that full automation is one of the principles on which the nonprofit certification center Let's Encrypt is based. It issues free certificates to everyone, but the maximum certificate lifetime is limited to 90 days. Short certificate lifetimes have two main advantages :
The GlobalSign poll on HabrΓ© showed that 73.7% of respondents "more likely" support a reduction in the validity of certificates.
As for hiding the EV badge for SSL certificates in the address bar, the consortium did not vote on this issue, because the issue of browser UI is completely in the competence of developers. In September-October, new versions of Chrome 77 and Firefox 70 will be released, which will deprive EV certificates of a special place in the address bar of the browser. Here's what the change looks like on the desktop version of Firefox 70:
It was:
Will be:
According to security specialist Troy Hunt, deleting EV information from the address bar of browsers actually bury this type of certificate .
SPECIAL CONDITIONS for PKI solutions for small and medium-sized businesses until 11/30/2019 using the promo code AL003HRFR. Offer valid for new customers. For details, contact the managers +7 (499) 678 2210, sales-ru@globalsign.com.
The question was put to a vote by the CA / Browser Forum (CABF) organization, which sets requirements for SSL / TLS certificates, including the maximum validity period.
And on September 10, the results were announced : members of the consortium voted against the proposal.
results
Certificate Publishers Vote
For (11 votes) : Amazon, Buypass, Certigna (DHIMYOTIS), certSIGN, Sectigo (formerly Comodo CA), eMudhra, Kamu SM, Let's Encrypt, Logius, PKIoverheid, SHECA, SSL.com
Cons (20) : Camerfirma, Certum (Asseco), CFCA, Chunghwa Telecom, Comsign, D-TRUST, DarkMatter, Entrust Datacard, Firmaprofesional, GDCA, GlobalSign, GoDaddy, Izenpe, Network Solutions, OATI, SECOM, SwissSign, TWCA, TrustCor , SecureTrust (formerly Trustwave)
Abstained (2) : HARICA, TurkTrust
Certificate Consumer Voting
For (7) : Apple, Cisco, Google, Microsoft, Mozilla, Opera, 360
Against : 0
Abstained : 0
According to the rules of the CA / Browser Forum, to make a positive decision, two-thirds of certificate publishers and 50% plus one vote among consumers must vote for it.
Digicert representatives apologized for missing the vote, where they would vote in favor of shortening the validity of the certificates. They point out that for some customers, shortening their validity period can be a problem, but in the long run it provides security benefits.
One way or another, but the industry is not yet ready to shorten the validity of certificates and completely switch to automated solutions. Certificate authorities themselves can offer such services, but many customers have not yet implemented automation. Therefore, the reduction of time to 397 days is postponed. But the question remains open.
Now Google can try to implement the standard "force", as was the case with the Certificate Transparency protocol. Moreover, other developers support it: Apple, Microsoft, Mozilla and Opera.
Recall that full automation is one of the principles on which the nonprofit certification center Let's Encrypt is based. It issues free certificates to everyone, but the maximum certificate lifetime is limited to 90 days. Short certificate lifetimes have two main advantages :
- limiting damage from compromised keys and incorrectly issued certificates, as they are used for a shorter period of time;
- short-lived certificates support and encourage automation, which is absolutely essential for the ease of use of HTTPS. If we are going to migrate the entire World Wide Web to HTTPS, then we can not expect manual renewal of certificates from the administrator of each existing site. As soon as the issuance and renewal of certificates becomes fully automated, the shorter lifetimes of certificates, on the contrary, will become more convenient and practical.
The GlobalSign poll on HabrΓ© showed that 73.7% of respondents "more likely" support a reduction in the validity of certificates.
As for hiding the EV badge for SSL certificates in the address bar, the consortium did not vote on this issue, because the issue of browser UI is completely in the competence of developers. In September-October, new versions of Chrome 77 and Firefox 70 will be released, which will deprive EV certificates of a special place in the address bar of the browser. Here's what the change looks like on the desktop version of Firefox 70:
It was:
Will be:
According to security specialist Troy Hunt, deleting EV information from the address bar of browsers actually bury this type of certificate .
SPECIAL CONDITIONS for PKI solutions for small and medium-sized businesses until 11/30/2019 using the promo code AL003HRFR. Offer valid for new customers. For details, contact the managers +7 (499) 678 2210, sales-ru@globalsign.com.
All Articles