27 February 2020
Bulletproof TLS Newsletter is a free periodic newsletter bringing you commentary and news surrounding SSL/TLS and Internet PKI, designed to keep you informed about the latest developments in this space. Maintained by Hanno Böck.
During a recent meeting of the CA/Browser Forum, Apple announced that its Mac OS and iOS operating systems will not accept certificates with a lifetime of more than 398 days starting in September of this year. With this announcement, Apple moves ahead with the shorter certificate lifetimes that multiple browsers have wanted for a while.
There are a number of advantages to shorter certificate lifetimes. One notable one is that implementing new features and deprecating old ones can happen much faster than in the past. The phaseout of SHA1 signatures is often cited. Another example is certificate transparency: although Google’s Chrome browser has required support for certificate transparency SCTs in new certificates since April 2018, it will take until June 2021 before the last certificates created prior to that will expire.
The other major reason for shorter certificate lifetimes is the lack of a working revocation mechanism for compromised certificates. Certificate revocation has been problematic for a long time. Revocation checks via OCSP have usually only been implemented in a soft-fail mode that does little in an attack situation in which an attacker can simply block connections to the OCSP server. Although mechanisms that can provide better revocation than this exist—OCSP stapling and the Must-Staple certificate extension—they have not been deployed widely.
Thus the rationale for shorter certificate lifetimes: in the event of a compromised private key, a shorter remaining lifetime will reduce the time an attacker has to cause harm.
Certificate lifetimes have been gradually reduced over time. More than a decade ago, certificates sometimes were valid for more than ten years. In 2017, the CA/Browser Forum agreed to cap certificate lifetimes at 825 days. However, multiple attempts to agree to further shorten certificate lifetimes have failed in the CA/Browser Forum.
Certificate authorities cite issues that their customers have with shorter certificate lifetimes. If certificates are changed manually, then this is obviously an issue, but many people think that certificate automation is the way forward.
Certificate automation has been made popular by Let’s Encrypt, and with ACME there is a standard to allow automatic issuing of certificates. But not all certificate authorities provide automation yet—and even if they did, not all products using certificates support ACME.
Despite these concerns, it seems browsers have decided to move on with shorter certificate lifetimes without the support of the majority of certificate authorities. Apple is the first company to announce such a move, but it is expected that other browsers will follow as all of the browser vendors in the CA/Browser Forum have previously announced that they want shorter certificate lifetimes.
If you’re interested in a more detailed history of this discussion, Scott Helme has followed the debate in his blog over time in much more detail.
This subscription is just for the newsletter; we won't send you anything else.
Designed by Ivan Ristić, the author of SSL Labs, Bulletproof SSL and TLS, and Hardenize, our course covers everything you need to know to deploy secure servers and encrypted web applications.
Remote and trainer-led, with small classes and a choice of timezones.
Join over 1,500 students who have benefited from more than a decade of deep TLS and PKI expertise.