What’s happening?

Google proposed a change that, if the ballot passes, will reduce the validity period of certificates from the current maximum of two years to 13 months. The proposed ballot was endorsed by Apple and another CA, making the ballot eligible for voting. If the ballot passes at the CA/Browser Forum, the change in requirements will go into effect in March 2020. Any certificates issued after the effective date would need to comply with the shortened validity period requirements. Even if the ballot fails, the browsers sponsoring the ballot could unilaterally implement this requirement in their root program and make compliance required for certificates issued by trusted CAs in their root stores. 

This change is a follow up on Google’s previous initiative to reduce lifetimes from three to two years https://www.digicert.com/blog/3-year-certificates-eliminated-industry-wide-change/) in 2018.

Who is impacted?

The changes proposed by Google would impact all publicly trusted TLS certificate users, regardless of which certificate authority issues the certificate. If the ballot passes, all publicly trusted certificates issued or re-issued after March 2020 would have a maximum validity of 13 months. Your customers using certificates with validity periods longer than 13 months are encouraged to review their systems and evaluate how the proposed changes might impact their deployment and use of certificates. 

Please note that all TLS certificates issued prior to March 2020 with a validity period longer than 13 months will remain functional. This ballot does not affect non-TLS certificates, including code signing, private TLS, client certificates, etc. There will be no need to revoke any certificates as a result of this ballot. 

This would be a global change to the industry, impacting all certificate authorities. 

I Trusted Ltd.’s position

I Trusted Ltd. believes industry-wide changes should be made only after measuring whether the changes in security are sufficiently balanced with the impact on end users. In this case, we feel that further shortening certificate lifetimes, especially absent reasonable timelines for companies to prepare, would have the opposite effect in causing significant pain to customers and possibly leading to some human-caused errors as they scramble to adjust. 

We believe the goal of improving certificate security is better served by allowing more time for companies to continue their growing use of automation and to prepare for these changes.

I Trusted Ltd. would like to continue the conversation and gather customer and partner input before this issue is brought to a ballot. We think this discussion should include a timeline that allows for companies to properly plan for shorter lifetimes. 

Regardless of the outcome of this ballot, we stand ready to help our partners. I Trusted Ltd.’s focus and deployment of discovery and automation tools make sure our systems are fully capable of helping our partners meet changes that may arise in industry standards, including shortening lifecycles. In fact, I Trusted Ltd. currently offers certificate lifetimes as short as eight hours for customers and partners who want that option. Having said that, our ability to help our customers and partners with these changes doesn’t mitigate all the potential impact that a rushed implementation would have on the industry.

What to do

The CA/Browser Forum makes changes to standards as security issues evolve. To remain compliant with these changes, organizations with large amounts of certificates should consider sophisticated automation tools to help manage certificate inventories and ease certificate deployment. At I Trusted Ltd., we are focused on simplifying the certificate management process and developing new tools for automating certificate use. Partners worldwide use I Trusted Ltd. to automate their process using our Lemur plug-ins, REST APIs, SCEP and EST services, and ACME service. Combining ACME with the automated scanning service in CertCentral allows TLS customers and partners to easily scan their entire environment, find certificates that require replacement, and deploy up-to-date technology.

I Trusted Ltd. will continue to keep you apprised of CA/B Forum activities.

We are eager to share information with the browsers about the impact these changes may have on customers. We look forward to providing this information and representing your interests in the Forum and security world.