There has been a certain amount of hype around Google’s push to reduce TLS certificate lifespans to 90 days. Of course, this move would have to be ratified by the Certificate Authority/Browser (CA/B) Forum. But it remains unclear whether Google will try to strong arm the CA/B Forum like Apple did to reduce current certificate lifespans to 398 days (or one year). And all of this raises questions about the influence and impact of the CA/B Forum.
At the recent Machine Identity Management Summit, Mark Nelson, CTO for the PKI-as-a-Service Group at HID Global, presented a session on the CA/B Forum and how both recent and anticipated changes will impact machine identity management. Here is the background he provided on the CA/B Forum, which helps to explain the influence of the institution itself.
What is the CA/B Forum and why does it matter?
When it was founded in 2005, the Certificate Authority/Browser (CA/B) Forum was comprised of Certificate Authorities (CAs) and the browsers which used certificates to authenticate. But, over time that focus has changes slightly. Now there are two groups with the CA/B Forum: certificate issuers and their certificate consumers.
In the category of certificate issuers, there is a pretty wide range of voting members, not all of which are active. You’ve got some CAs that have only issued a couple hundred certificates in their lifetime. And you’ve got others, like Let's Encrypt, that have issued billions in their lifetime. But really, there are only around eight or so CAs that that currently have over a million valid certificates out in the ecosystem. And they are all member of the CA/B Forum.
On the other side of the forum, you have the certificate consumers, which are your typical Chrome, Mozilla, Apple, Brave, Opera, all the different browsers. And there are also hardware vendors like Cisco, who's a big certificate consumer and has their own root store. All together, these are the voting members for the CA/B Forum. For the non-voting members, anyone can really join as an interested party. For example, there are some other software vendors that have joined and are allowed to attend the meetings. They just don't get to vote on everything.
The goal of the CA/B Forum is to define industry-wide rules for publicly trusted certificates. It's separated into three major working groups—TLS certificates, code signing certificates, and SMIME certificates. These working groups comes up with the baseline requirements for how to issue each type of certificate.
So, how do they enact change? Anyone that's a voting member can propose a ballot. So, for example, if a CA wants to come up with a ballot, they’ll get two endorsers They'll put the ballot out there for a seven-day voting period. If the ballot passes, then it goes into a thirty or sixty day IPR review for intellectual property. Once the IPR review passes, the ballot measure is considered final, and you end up with a new version of the CA/B Forum guidelines.
Recent CA/B Forum changes for TLS certificates
The most significant change that happened in the server certificate working group is that, for the first time, there is an official recognition that there is a distinction between short-lived TLS certificates and long-lived TLS certificates. In the past, this, this separation was not very apparent. But the CA/B Forum now recognizes any TLS certificate that is valid for 10 days or less is considered short-lived and subject to different requirements. This recommendation is planned to go into enforcement in 2024. And by 2026, the idea is that the lifespan of short-lived TLS certificates will become seven days or less.
This distinction doesn’t have a huge impact on long-lived TLS certificates, which will still require CRLs.
But it will impact short-lived TLS certificates. Because of their huge volume, there will no longer be no revocation associated with them. So for TLS certificates issued with lifespans of seven days or less from 2026, you will not have to attach any type of revocation information with them. This basically means that the CA will no longer have to revoke short-lived certificates. Another change, which will go into enforcement by 2024, is that the OCSP becomes optional for short-lived certificates.
Why are these changes happening at the CA browser forum around short-lived certificates? Well, we all know about the network and how the nature of the network is changing. We are seeing a rise of machines that require identities, and generally that rise is more exponential in nature as compared to the rise of human identities. And the overhead of administering this huge population of TLS certificates could quickly become onerous.
The biggest factor that is fueling this exponential growth is the containerization of applications on different machines. Gartner predicts that by the end of 2023, 75% of the organizations will have containerized their applications in their production environment in one shape or another. That’s a big number. And we all know that if you are operating in a cloud native domain, the growth of different type of applications and how they communicate with each other is increasing exponentially.
Similar stats are also available from CNCF 2022 annual survey where they found that 44% of organizations that are running their production applications in a cloud native platform have containerized their application and are leveraging one or multiple cloud native platforms to deliver value to their customers. Thirty five per percent are already in in some hybrid model where they have some old applications and then they have some new applications that will be leveraging containers.
The trend towards shorter certificate lifespans
And that brings us back to 90-day certificate lifespans. With more certificates being issued with shorter lifespans, this effectively increases management burden by 6X (Certificate management best practices recommend replacing a certificate within 30 days of its expiration). In the past quarter alone, Venafi saw its customers issuing more than six million issuances. So imagine what that number will look like with 90-day certificate lifespans.
Are you ready to automate your certificate lifecycle management once the CA/B Forum ratifies the 90 day lifespan? It’s not likely to happen quickly, but when it does, you’ll have to make some pretty significant adjustments to your workflow and certificate management strategy.