The CA/Browser Forum helps to determine the policies that certificate authorities and web browser developers must abide by when it comes to TLS certificates, an important type of machine identity.
On September 10th, they had a vote regarding a proposed policy change. TLS certificates currently have a maximum validity period of 27 months. The proposal was to shorten it to a year. Forty people were eligible to vote. In my opinion, if a small number of people are voting on something, it’s best to have an odd number of voters. That would theoretically eliminate the possibility of ties. But there was no tie in this vote. 18 people voted in favor of shortening the validity timespan to a year, 20 opposed, and two people abstained from voting. Oh well.
So, it looks like certificates with a 27-month lifespan are here to stay. I personally would have preferred a 13-month limit, because longer lifespans expand the attack surface that a cyber attacker could acquire if they intercepted a certificate. As I said in a collaborative post with David Bisson:
“Shorter time durations for HTTPS certificates sounds like a great idea to me. Sometimes certs are breached. A certificate that lasts 13 months instead of 27 reduces the scope of data compromise when that happens. Proper machine identity management can handle the greater frequency of certificate deployment so users won't even have to worry about the CA/Browser Forum proposal if it's implemented, and it should improve web security.”
Overall, most cybersecurity professionals who have looked at the issue support shorter maximum certificate lifespans. Because if a certificate falls into a cyber attacker’s hands, data is at stake for less time. The cyber attack surface is lessened a bit.
So why would anyone oppose shortening the lifespan of TLS certificates? When the CA/Browser Forum had their vote, the main objection was about how well certificate authorities’ customers could manage shorter certificates, possibly not well at all.
For an organization to be able to keep all of their TLS certificates to a lifespan of 13 months or less, they need more robust and effective certificate management across their cryptographic systems and infrastructure. Many organizations are afraid of not only the direct financial cost of upgrading their PKIs (public key infrastructure), but also all of the extra time and labor that could be involved. Also increasing the frequency of their certificate generation may lead to accidental certificate outages and related security disasters.
Some of the organizations which vote in the CA/Browser Forum would happily comply with shorter certificate lifespans, except this year’s vote wouldn’t have given them enough time to prepare their customers before the new policy came into effect.
Another matter to consider is that the CA/Browser Forum consists of members with possibly conflicting interests. Some support smaller organizations that would be especially reluctant to overhaul their PKIs and certificate management.
The SSL Store’s Patrick Nohe wrote:
“One of the dynamics at work in the discussion of validation is that the non-CA members (browsers) of the Forum generally have a theoretical knowledge of validation, whereas the CAs are actually performing it and have a different perspective owing to their experience with the process. Neither viewpoint is wrong. In a truly collaborative environment, the two differing perspectives could even be a strength. But as it stands, even validation is a contentious topic at the Forum.
Right now, you can re-use validation data for 27 months (13 months for EV). After the initial validation, a CA can issue any certificate you order with only a domain control check if you ask for a new domain. That means it’s near instant. For large organizations this is a godsend. Reducing the amount of time that validation information stays ‘fresh’ and can be re-used means organizations and CAs must validate more often. That consumes time and resources from both the CA and the organization getting the certificate. It’s also another move that devalues higher-validation certs because the re-validation process is more burdensome.”
Perhaps more of these more CA/Browser voters would be on board with shortening the lifespan of TLS certificates if they knew their customers had proper machine identity management. As Katrina Dobieski and Scott Carter wrote here:
“Manual management techniques left too much room for human error. And we saw many high-profile instances of certificate-related outages that resulted from uncontrolled machine identities. New research indicates that these same under-managed machine identities are also prime tools for organized cyber criminals.
Forward-thinking companies began to realize the value of centrally managing, and ultimately protecting, machine identities early on. And now, we’re seeing an increasing number of the world’s leading organizations getting serious about managing their machine identities.”
If we can get more organizations to implement good machine identity protection and management, maybe the next vote the CA/Browser Forum has on TLS certificate lifespans may actually be in favor of 13-month maximum validation durations! Imagine that.