Apple takes the lead in limiting the duration of SSL
25 February 2020
Apple is going to limit the allowed validity of SSL certificates to a maximum of 13 months. From September 1, 2020, certificates with a duration of more than 13 months are no longer supported in the Safari browser. Chances are that other browsers will also start applying this measure, despite the fact that a proposal for an industry-wide change for this was rejected last year.
What is the impact?
As of 1 September 2020, SSL certificates with a validity period longer than 398 days will no longer be trusted in Safari, if the certificates were issued on or after 1 September 2020. Certificates with a longer validity that were issued before this date will continue to be supported during their validity. This change only applies to SSL certificates in Safari, not to client or code signing certificates. Safari is the first browser to implement this change, and is the most used browser after Chrome with a 18.2% market share. Chances are that other browsers will follow this initiative.
What is the reason?
A decade ago certificates with a validity of up to 10 years were still in circulation. In recent years, this term has been shortened several times to the current maximum of 27 months. In 2019, Google submitted a new proposal for a further limitation to 1 year. In September 2019, a majority of the members of the CA / Browser Forum voted against this, which cancelled the change for the time being. But because there are also many proponents, there is a chance that the duration will be limited industry-wide at some point. In addition to Apple, Logius, as manager of the Dutch PKIoverheid certificates, has already implemented the limit to 1 year as of November 1, 2019.
The CA / Browser forum (Certification Authority Browser Forum) consists of most CAs and browsers, and sets standards and guidelines that monitor the security of SSL certificates. They control security threats like the use of internal domains and outdated encryption methods. They argue that with certificates with a long duration the chance of abuse and outdated techniques is greater. For this reason, the duration was already limited to a maximum of 39 months in February 2015, and at the start of 2018 to 27 months. Besides, the last change initially proposed 13 months, after which a compromise of two years was chosen.
What do the opponents say?
On 9 September 2019, the CA / Browser Forum voted against ballot SC22, the proposal for a further limitation of the validity of SSL certificates to 13 months. Of the 32 voting CA's, 11 parties voted in favor and 19 against, the main counter argument being the greater administrative burden for organizations that use SSL certificates. For organizations that use a lot of SSL certificates and have not automated the management, a halving of the validity means doubling the required management time. Research from various CAs shows that at least three-quarters of the large enterprises have not yet automated their certificate management, and with smaller organizations that share is even greater.
What do the proponents say?
Logius, the PKIoverheid management organization, voted in favor and, moreover, implemented the change regardless of the outcome of the vote on November 1, 2019, because it sees more certainty in checking the data contained in certificates more frequently. Sectigo also voted in favor, arguing for the increasing use of automated certificate management, which eliminates a greater administrative load. All browsers in the CA / Browser Forum also voted in favor of the proposal.