Apple forces the industry down to one-year web browser certificate lifespans

Security Now


February We talked about apple's surprise announcement during the CA Browser Forum. That in the future. And this was just unilateral that in the future it. First Affari on all of its platforms would rejecting any web server certificate having a not valid before date, which is technically the way the the date ranges stated, so it's very clear, not valid before. Date after August thirty first of this year of Twenty Twenty! And, which has a certificate lifetime greater than total lifetime greater than three hundred ninety eight days, so in other words starting just two months from now that is to say from September first on all CA certificates issued for use by web. Browsers must be issued with a one year plus thirty three days lifetime or shorter, not longer so this is the death of the more arguably convenient two or three year web server search that we've traditionally been using. Essentially sort of apple, biting the bullet and pushing an issue that the various non certificate authority participants in the so-called. The CAB forum to see a browser forum had been asking for for a long time. Google had put forth this issue. This measure for a vote at at the prior meeting and it had been in voted down. In a partisan vote by the certificate authorities said No. We don't want to shorten. Server certificates to a year. Well, Apple said okay tough. We're just we're just knocking on. Accept any and arguably safari is strong enough that Basically. They forced the issue so. When I talked about this initially in February. I discussed the many implications of this in great depth and detail so I'm not going to go into all that again if anyone. has joined us since then or wants a refresher. It's back in February. The reason this is back in the news. Is that now? The other two significant browsers in the industry, Mozilla and Google. Premium based offshoots of of Google's chrome browser have also announced there exactly aligned policies yes. Roy. Resting Wow. Yes that'll Ryan sleepy. Yeah he posted in. As sort of like they're, they're equivalent of things. We're going to change in the chromium blog. He said in force three ninety eight day validity for certificates issued on or after twenty, twenty, nine, a one September first of this year, and then the body of the messages enforce publicly trusted t LS server certificates have a lifetime of three hundred ninety eight days or less, if they are issued honor after you know September first twenty twenty and he said certificates that violate this will be rejected with an and the error. is error certificate validity too long and we'll be treated as miss issued. And also following up. Mozilla is Kathleen Wilson posted. Limit Reuse of domain name verification to three ninety five days and that was. A pound two. Oh six. And I think she did say three ninety five. I copied and pasted so that they're off by three three ninety eight. I believe that because our member three thirty one year plus thirty three was. That's just sort of give people a little bit such room. So. There is a long and very interesting discussion for people who've like such things. among the industry insiders who are the ones who make these essentially earthmoving decisions so I've included the Google groups discussion through a link in the show notes for anyone who's interested. I. Mean It's you know it's back and forth and a lot of discussion, but basically it comes down to well. You know this is what we wanted. Thank you apple for a biting the bullet. I. WE'RE ALL GONNA. Jump on board, so I mean so. And you know th the certificate authorities will end up changing their model rather than like for example you having to have a a cash transaction annually. You'll be able to. Purchase some block of time that you WANNA have certificates from them. And I imagine since that does create a little bit of lock in that they may extend that. You know they may say. Hey, we know. Stay with us, com-, commit to staying with us for ten years and we will lower the per year cost of certificates, and then it'll be like you know you log into your account, and basically you re issue a certificate before the one you have expires. What this will also do. We always run across instances where people are forgetting or sort of. Like it laps, or maybe it's a holiday, or it's a covert nineteen event one way or the other server certificates are expiring, and they're finding out only when people are screaming that they can no longer access the website, so maybe it being an annual thing, and it's as opposed to for example every three years, which maybe you're more likely to forget. That might help prevent that

Coming up next