SSL certificate validity periods are essential to helping the industry move faster when it comes to adopting cryptographic algorithm changes, fixing mistakes, and dis-trusting CAs that are no longer in operation. Even more importantly, these certificate lifetime designations are harbingers of trust, as shown by the recent move by Google to reduce Symantec validity periods after a series of certificate-related infractions. But it also protects users against malicious actors. The shorter the validity period, the less chance of a certificate being stolen or compromised.
Web browsers and CAs agree that SSL certificate validity periods help strengthen clients' trust of secure connections. Even so, consensus on how long a digital certificate's lifetime should be is elusive.
For example, Ryan Sleevi, a software engineer at Google, created a proposal named "Certificate Authority and Browser (CAB) Forum Ballot 185" that would have reduced the validity period from 39 months to just 18 months. Google and Mozilla supported the proposal, but other industry actors including most CAs declined to get behind the cause. Their main reasons for doing so were the operational and infrastructure costs they perceived the change would bring.
Robin Alden from Comodo said as much in defense of his "No" vote for the proposal:
"We are committed to security. Usable security. We represent many certificate holders who do not yet have sufficient technical expertise, manpower and/or automation to be able to cope with this proposed reduction in the maximum validity period."
Technically, Google could move ahead and set requirements for certificates that are consistent with CAB Forum Ballot 185 despite other industry actors having voted it down. SSL certificates need to be usable with all browsers. As a result, certificate authorities and other web browsers would have no choice but to comply were Google to act unilaterally.
But irrespective of Google's next move, the Chrome provider has already helped move the industry to shorter SSL certificate validity periods. Following the defeat of CAB Forum Ballot 185, another proposal called CAB Forum Ballot 193 emerged. This proposal, which has since passed, says SSL certificates will be limited to two years.
Leading up to March 2018, when CAB Forum Ballot 193 officially takes effect, organizations can purchase SSL certificates that will protect them for the current validity period of 39 months until June 2020. But they will now need to be prepared for 2-year certificates as the industry moves closer to validity periods such as those specified in CAB Forum Ballot 185.
All these changes place pressure on organizations to keep up with their SSL certificates' validity periods and to renew their certificates when they expire. Plus, if these periods change, as they did recently for Symantec, organizations need to be prepared to act quickly to replace impacted certificates. Fortunately, these organizations can invest in software that helps them identify and monitor certificates, thereby avoiding the costs and risks of expired SSL certificates.
Does your organization have what it takes to inventory certificate validity periods?