But even if CAB Forum Ballot 185 fails, it may happen anyway.
Last week, the Certificate Authority and Browser Forum began voting on a new proposal, CAB Forum Ballot 185, which would limit all SSL certificates to no more than 13 months validity.
The CAB Forum is a self-organized industry body that sets many of the rules governing the issuance of SSL certificates. The Forum exists to allow Certificate Authorities, which issue certificates, and vendors of Web Browsers, where SSL certificates are commonly used, to work together to set standards and policies.
A major, and recurring discussion within the Forum is about SSL certificate validity.
All SSL certificates have a validity period – a date range that tells you (and your computer) how long a certificate should be trusted for secure connections. After the validity period ends, the certificate expires. This is similar to our driver’s licenses and passports, which need to occasionally be renewed in order to confirm the information is still accurate.
If you want to know more about why it’s so important that SSL certificates expire, we wrote a whole article about that.
CAB Forum Ballot 185, proposed by Ryan Sleevi of Google, would lower the maximum allowed lifetime of all types of SSL certificates to 13 months (1 year plus a 1 month “buffer” period). Currently, SSL certificates can be issued for up to 39 months, and for EV certificates, that limit is 27 months. If the ballot is passed, this change would take effect in just 6 months.
This would mean that all websites and organizations using SSL certificates would need to replace and reinstall their certificates on a yearly basis. For some users, this would have a major impact.
Google and Mozilla are the main proponents of the new policy. Google’s Ryan Sleevi wrote, “the validity period of certificates represents the single greatest impediment towards improving the security of the Web PKI.”
But CAB Forum Ballot 185 has received criticism from the vast majority of the CAs. Dean Coclin, who represents Symantec in the CAB Forum, wrote “I don’t think anyone disagrees with the ‘shorter is better’ argument but ‘how short’ still seems to be a contested topic, at least for some.”
Robin Alden from Comodo, said “We are committed to security. Usable security. We represent many certificate holders who do not yet have sufficient technical expertise, manpower and/or automation to be able to cope with this proposed reduction in the maximum validity period.”
When talking about obscure industry standards bodies, this is about as exciting as it gets.
So why is there such strong debate over maximum validity? It is all about tradeoffs between security and usability.
The effectiveness of all other policy changes is related to the maximum validity. For example, a new policy goes into effect on January 1, 2017 and the current maximum validity is 39 months. There would be non-compliant certificates out there until April 2020, when all the certificates that predated the policy expire. That is quite a long time to wait.
If the maximum lifetime was 13 months, total compliance would happen by February 2018.
A shorter maximum lifetime gives the industry the ability to move faster. While this likely does not matter to individual users, it’s important at the macro level. It affects everything from adopting obscure formatting changes, to important cryptographic algorithm changes (like the SHA-2 migration you have likely heard far too much about).
There are a number of other benefits as well, such as reducing the impact that any mistakes (such as mis-issued or unauthorized certificates) may have, allowing for easier transitions if a CA needs to be dis-trusted, and improving performance of the CRL revocation method.
The majority of CAs and Web Browsers agree that keeping certificates around for too long is risky and makes the entire Web PKI slow and less secure.
However, CAs think that CAB Forum Ballot 185 is too drastic. It’s multiple steps in one – cutting the maximum life time down from 3 years to 1 year, and taking effect in only 6 months. CAs and their customers have a reason to be spooked.
The main argument against the change is that the benefit of shorter lifetimes is outweighed by the administrative hassle of yearly certificate replacement. Jeremy Rowley, Executive Vice President of Emerging Markets at the U.S. CA DigiCert, wrote “we’ve recently been polling our customers on their support to move to one year certs, and there isn’t quite the automation levels needed for us to support this ballot.”
It’s important to remember the scale some enterprises are working at. Some of the largest users out there have tens of thousands of certificates deployed across their network and websites.
In some cases, it’s a technological challenge – the environment and tools being used do not support automation that would allow for yearly replacement. But in other cases there are policy and organizational hurdles. Kevin Jones shared his experience from a past job where it took “weeks of coordination” to deploy new certificates with a third-party company they were partnered with. Jones said “going from 39 months to 13 months is over ambitious at this point.”
It isn’t only CAs opposing CAB Forum Ballot 185. Jody Cloutier, who represents Microsoft as a web browser in the CAB Forum, wrote, “Microsoft appreciates this effort and agrees that shortening is the right thing to do, but this ballot proposes a period that is too short to be workable. We, therefore, vote NO and encourage others to do the same.”
You Can’t Always Get What You Want (Unless You Are a Web Browser)
The CAB Forum has debated certificate lifetime for years. At one point, CAs were issuing certificates for up to a decade. But certificate validity has been on a downward trend as it has become obvious that extremely long-lasting certificates were a security risk and an operational hassle. In 2014, the CAB Forum agreed to reduce maximum certificate validity from 5 years to 3 years.
Many CAs are amenable to cutting that down further, but say that too many organizations are not ready for the change yet.
Dimitris Zacharopoulos, representative for HARICA, a regional CA in Greece, wrote “replacing these certificates manually (automation techniques are not mature enough for these systems), requires significant work effort.” Zacharopoulos said this ballot will change too much too fast for end users, and it “will catch them by surprise.”
Google proposed CAB Forum Ballot 185 two weeks ago, and while maximum validity has been frequently discussed, many CAs say the sudden focus on changing maximum validity within the year has taken them by surprise.
Similar to the US Congress, the CAB Forum is bicameral. The CAs and Browsers represent different constituents and interests, and a ballot needs to receive majority support from both ‘houses’ to pass.
Right now, it is extremely unlikely that Ballot 185 will pass. The voting period will end this week on the 24th. So far (as of this writing) 11 votes have been cast by CAs, 10 against the ballot.
However, even if the CAB Forum fails to pass Ballot 185, it does not mean that reducing maximum validity to 13 months is off the table. The odd thing about the CAB Forum is that browsers don’t need it’s approval to change policy.
All browsers have to have a root store (also known as a trust store) which gives them a basis for trusting SSL certificates. They have the choice of managing their own root store, or using an existing one. The majority of browsers choose to manage their own, through a Root Program, where they can set their own rules for inclusion.
This essentially gives web browsers unlimited power to implement their own policies, and they have used this power in the past to implement policies that did not get approval in the CAB Forum.
Google’s Ryan Sleevi wrote that if the CAB Forum fails to come to consensus on shorter certificate validity, “the next step will be to require these changes as part of a browser program – both as to considering a certificate trusted and to considering a certificate misissued – in order to ensure security needs are met.”
Whether the CA industry likes it or not, drastically shorter certificates lifetimes are likely coming, and soon.