Apple announced this week that the maximum
lifetime of SSL / TLS certificates on its devices and Safari browser would
be limited to 398 days (1 year, and 1 month to cover the renewal period). The
change, announced by Apple at the CA / Browser Forum meeting in Bratislava,
Slovakia, will take effect for certificates
issued after August 31, 2020.

Apple’s announcement follows a failure of the CA / B Forum’s vote on one-year certificates (Bulletin SC22), which was held in August 2019, and reflects a continuing trend to shorten lifespan certificates. Following this vote, Google had also expressed its intention to reduce certificate lifetime outside the framework of the CA / B forum if they do not position themselves quickly. This announcement is a bit of a surprise, we would rather have thought that Google or Mozilla would take the first step.

What are the consequences for companies and their SSL / TLS certificates?

Is shorter validity a good thing?

The shorter the validity period of a
certificate, the more secure the certificate. By requiring replacement of
certificates over a shorter period of time, security updates are made to
certificates, they deploy faster. The shorter private key lifetime of a
certificate is also a strong recommendation from online security players to
limit the potential duration of fraud following a compromise.

From a security perspective, everyone agrees
that reducing the life of certificates is a good thing. The problem lies on the
operational side with the consequences of this reduction being: more frequent
intervention on certificates, therefore greater complexity in keeping an up to
date inventory and the need for optimal organization with partners for
certificate issuance.

Should Apple’s announcement be taken into account?

Safari is one of the two main web browsers, with 17.7% in January 2020, behind Google Chrome (58.2%) and ahead of Microsoft Internet Explorer and Edge (7.1%). It is difficult to ignore the announcement as it will affect 1/5 of Internet users, what is more is that if Google does follow, it is better to anticipate and prepare. Nameshield’s has already adopted this stance.

Things to keep in mind

Certificates issued
before September 1, 2020 are not affected by this change. They will remain valid for the entire
two-year period. All certificates issued
on or after September 1 must be renewed each year to be considered reliable
by Safari.

We must therefore prepare to move towards
having certificates with a maximum duration of one year compared to the current
two years. Being able to rely on a partner and effective tools is more
essential than ever.

Towards the end of the correlation between authentication and technical
certificate management

What seems to be taking shape within the CA / B
Forum is the idea of allowing an authentication duration identical to that
which we know today (two years) while forcing the certificates to be replaced
several times during this same period.

The main Certification Authorities, the bodies
that issue certificates, anticipate these changes and are working on several
automation systems to manage certificate life cycle. They would thus limit the
need to go through a potentially cumbersome re-authentication procedure with
each replacement. Companies could replace their certificates as many times as
they want during this period. This would make it possible to anticipate possible
further reductions in the maximum lifetime of certificates.

The trend is also towards the installation of
automation tools for the maintenance of a precise inventory of certificates on
the one hand and technical reinstallation on the other. Nameshield is closely
monitoring these various developments and will allow you to continue working
with confidence.

Our team is also at your disposal to anticipate these changes and answer any questions you may have.

First published at nameshield blog