CA/Browser Forum Votes for 47-Day Cert Durations By 2029 (computerworld.com)
- Reference: 0177067061
- News link: https://it.slashdot.org/story/25/04/19/1745216/cabrowser-forum-votes-for-47-day-cert-durations-by-2029
- Source link: https://www.computerworld.com/article/3960658/vendors-vote-to-radically-slash-website-certificate-duration.html
> In a move that will likely force IT to much more aggressively use web certificate automation services, the Certification Authority Browser Forum (CA/Browser Forum), a gathering of certificate issuers and suppliers of applications that use certificates, voted [last week] to radically slash the lifespan of the certificates that verify the ownership of sites.
>
> The approved changes, which passed overwhelmingly, will be phased in gradually through March 2029, when the certs will only last 47 days.
>
> This [2]controversial change has been debated extensively for more than a year. The group's argument is that this will improve web security in various ways, but some have argued that the group's members have a strong alternative incentive, as they will be the ones earning more money due to this acceleration... Although the group voted overwhelmingly to approve the change, with zero "No" votes, not every member agreed with the decision; five members abstained...
>
> In roughly one year, on March 15, 2026, the "maximum TLS certificate lifespan shrinks to 200 days. This accommodates a six-month renewal cadence. The DCV reuse period reduces to 200 days," according to [3]the passed ballot . The next year, on March 15, 2027, the "maximum TLS certificate lifespan shrinks to 100 days. This accommodates a three-month renewal cadence. The DCV reuse period reduces to 100 days." And on March 15, 2029, "maximum TLS certificate lifespan shrinks to 47 days. This accommodates a one-month renewal cadence. The DCV reuse period reduces to 10 days."
The changes "were primarily pushed by Apple," according to the article, partly to allow more effective reactions to possible changes in cryptography.
And Apple also wrote that the shift "reduces the risk of improper validation, the scope of improper validation perpetuation, and the opportunities for misissued certificates to negatively impact the ecosystem and its relying parties."
Thanks to Slashdot reader [4]itwbennett for sharing the news.
[1] https://www.computerworld.com/article/3960658/vendors-vote-to-radically-slash-website-certificate-duration.html
[2] https://www.computerworld.com/article/3631627/website-certificates-that-expire-every-six-weeks-what-it-should-know.html
[3] https://github.com/cabforum/servercert/compare/b7fd69b36171d81930e7758482984ce957a1ce7a...91724f5f705443a73306f875149177aec304e376
[4] https://slashdot.org/~itwbennett
internal system / backend certs don't need this an (Score:2)
internal system / backend certs don't need this.
Re: (Score:2)
They are not affected by this.
Re: (Score:2)
Clarification: Assuming you have your own CA.
Re: (Score:1)
Correct me if I'm wrong but if browsers enforce this duration, then it IS affected.
Re: (Score:2)
> Correct me if I'm wrong but if browsers enforce this duration, then it IS affected.
It's generally not the browser that limits certificate lifetime -- the lifetime is embedded into the certificate and the browser enforces the expiration date baked into the certificate. If you run your own internal CA, you can issue certificates for whatever lifetime you want. You will have to add your internal CA's certificate to the browser's list of "trusted CAs" though. Depending on the browser, the list of trusted CAs may be configured within the browser install itself, or may be delegated to the opera
Re: (Score:2)
unless someone like google codes in some like if ca / cert life over XX days = mark ca / cert as untrusted.
47 days (Score:2)
may seem random, but it's probably meant as 1.5 months plus a day of wiggle room. I was hoping for 42 though.
will renew fees be the same = pay an more or be sa (Score:2)
will renew fees be the same = pay an lot more or be same for 1 year?
Re: (Score:2)
Letsencrypt will be the winner from this - free and automated.
One word (Score:1)
One word: Automation.
Posting as anonymous coward for obvious reasons - my current employment is PKI.
This will drive automation to a new level. There is no way IT grunts will be manually renewing these certificates. ACME, or something spawned from that, will be the name of the game for trusted TLS certificates. I've worked for companies where changing the TLS certificate on their main public facing websites was a whole process wrapped up in change control. Those processes will also need to change as it d
change control issues or java app injecting issues (Score:3)
change control issues or java app injecting issues / downtime. Makes automation not work.
What about places where that cert change is part of an month or more long change control process?
Re: (Score:2)
> There is absolutely no reason why internal systems need to use trusted certificates, and this will basically end that practice.
Being pedantic, but I assume you mean no reason for internal use of publicly trusted certificates. From a security point of view, it's a bad idea not to validate certificates on internal systems -- you need to validate them against your internal CA of course, but failure to validate would open you up to internal threats.
Re: (Score:2)
> One word: Automation.
Still needs testing and verification afterward. Now each instance will have ten chances to break each year instead of one.
> I've worked for companies where changing the TLS certificate on their main public facing websites was a whole process wrapped up in change control.
Probably somebody broke it in the past. I've seen that happen too.
47 (Score:2)
Any insight why they picked 47 as the magic number? Why not 46 or 48? Or more likely a multiple of 7, to account for weeks?
Re: (Score:2)
I would guess ceil(31 * 1.5), but that's pretty arbitrary and (to me) 31+2*7 would make just as much sense.
Re: (Score:2)
> Any insight why they picked 47 as the magic number? Why not 46 or 48? Or more likely a multiple of 7, to account for weeks?
I think for business purposes you'd want a multiple of 7 plus a few days extra, in case of unforeseen complications / emergencies - and 47 accomplishes that.
There's no reason you couldn't renew every 42 days under this stricture. Or schedule it "on the first Tuesday of each month".
Personally I see this as largely security theater, but trying to argue against it does seem like opposing the tides at this point...
sigh (Score:2)
All the legacy systems will be so broken. currently some of them are already a pain to update yearly, with no reasonable way to automate.
I guess there will be a need to put a reverse proxy with the automated certificate renewal in front of them.
How about no? (Score:2)
At the rate they're going, they'll need to invent new low latency networking and data processing technologies in order to renew the certs before the old one (issued 30 seconds ago) expires.
Yay (Score:2)
Even more red tape and gatekeepers who get a say in who can communicate over the Internet and how hard it has to be. I remember when it was Microsoft who wanted to make internet protocols more complicated in order to get a competitive edge over the open source community; back then when their plans were exposed there was outrage. Nowadays Google and Apple basically are the internet, and they don't need to work in the shadows to subvert the protocols, because whatever it is that they decide for the day is aut
Dentists also recommend cleanings every 47 days (Score:2)
And please change your car's oil every 47 days.
For the exact same reason.
Needed? Or money grab? (Score:1)
First post?
Re: (Score:3)
Needed because revocation is broken.
No money grab because there are several free CAs.
Re: Needed? Or money grab? (Score:1)
There are complex reasons revocation doesn't work and simply saying fix doesn't actually fix it. Search the Security Now podcasts if you care to learn why, Steve Gibson has discussed this for years including recently. By the way, he is against shortening the duration. You seem to miss the point of the comment you were replying to since 7 x $0 = $0. Plus it's not clear that the annual cost will change for non free certs. The work required will change if you do it manually which encourages automation.