We are reaching out to you regarding an important proposal raised recently at the CA/Browser Forum that could impact the products you are using.
Google proposed a change that, if the ballot passes, will reduce the validity period of certificates from the current maximum of two years to 13 months. The proposed ballot was endorsed by Apple and another CA, making the ballot eligible for voting. If the ballot passes at the CA/Browser Forum, the change in requirements will go into effect in March 2020. Any certificates issued after the effective date would need to comply with the shortened validity period requirements. Even if the ballot fails, the browsers sponsoring the ballot could unilaterally implement this requirement in their root program and make compliance required for certificates issued by trusted CAs in their root stores.
This change is a follow up on Google’s previous initiative to reduce lifetimes from three to two years https://www.digicert.com/blog/3-year-certificates-eliminated-industry-wide-change/) in 2018.
Who is impacted?
The changes proposed by Google would impact all publicly trusted TLS certificate users, regardless of which certificate authority issues the certificate. If the ballot passes, all publicly trusted certificates issued or re-issued after March 2020 would have a maximum validity of 13 months. Customers using certificates with validity periods longer than 13 months are encouraged to review their systems and evaluate how the proposed changes might impact their deployment and use of certificates.
Please note that all TLS certificates issued prior to March 2020 with a validity period longer than 13 months will remain functional. This ballot does not affect non-TLS certificates, including code signing, private TLS, client certificates, etc. There will be no need to revoke any certificates as a result of this ballot.
This would be a global change to the industry, impacting all certificate authorities.
DigiCert believes industry-wide changes should be made only after measuring whether the changes in security are sufficiently balanced with the impact on end users. In this case, we feel that further shortening certificate lifetimes, especially absent reasonable timelines for companies to prepare, would have the opposite effect in causing significant pain to customers and possibly leading to some human-caused errors as they scramble to adjust.
We believe the goal of improving certificate security is better served by allowing more time for companies to continue their growing use of automation and to prepare for these changes. DigiCert would like to continue the conversation and gather customer input before this issue is brought to a ballot. We think this discussion should include a timeline that allows for companies to properly plan for shorter lifetimes.
Regardless of the outcome of this ballot, we stand ready to help our customers. DigiCert’s focus and deployment of discovery and automation tools make sure our systems are fully capable of helping our customers meet changes that may arise in industry standards, including shortening lifecycles. In fact, DigiCert currently offers certificate lifetimes as short as eight hours for customers who want that option. Having said that, our ability to help our customers with these changes doesn’t mitigate all the potential impact that a rushed implementation would have on the industry.
What to do
The CA/Browser Forum makes changes to standards as security issues evolve. To remain compliant with these changes, organizations with large amounts of certificates should consider sophisticated automation tools to help manage certificate inventories and ease certificate deployment. At DigiCert, we are focused on simplifying the certificate management process and developing new tools for automating certificate use. Customers worldwide use DigiCert to automate their process using our Lemur plug-ins, REST APIs, SCEP and EST services, and ACME service. Combining ACME with the automated scanning service in CertCentral allows TLS customers to easily scan their entire environment, find certificates that require replacement, and deploy up-to-date technology.
DigiCert will continue to keep you apprised of CA/B Forum activities. Please read our position to the industry in this new blog: https://www.digicert.com/blog/how-reduced-tls-ssl-certificate-lifetimes-to-one-year-would-affect-you/
The CA/Browser Forum accepts comments from outside participants; however, all discussions are public. You have two choices: you can submit your comments to DigiCert through this survey, which we plan to summarize and provide to the CA/B Forum or you can join the CA/B Forum as an Interested Party, which will allow posting of your comments directly to the Forum mailing list. See https://cabforum.org/working-groups/ (bottom of page).
We are eager to share information with the browsers about the impact these changes may have on customers. We look forward to providing this information and representing your interests in the Forum and security world.