The New Maximum SSL Certificate Validity Will Take Effect in 2018.
CAB Forum Ballot 193 has passed, this means a new, shorter, maximum SSL certificate validity period.
The CAB Forum is an industry body that sets many of the rules surrounding the issuance and formatting of SSL certificates – its membership is made up of Certificate Authorities, who issue certificates, and web browsers, where SSL certificates are most frequently used.
CAB Forum Ballot 193, which was proposed by Entrust, will place a new limit on maximum lifetime for all publicly trusted SSL certificates. The new limit will be 825 days – that’s two years with some padding built in to allow for renewal and replacement – and will come into effect on March 1st of 2018.
While voting on the ballot has not officially closed yet, as of this morning, the proposal already has the required number of votes and will be approved when voting closes at 23:00 UTC tonight.
Currently, the maximum SSL certificate validity period is 3 years (39 months to be exact), and CAs will continue to issue such certificates until the new ballot comes into effect.
This will affect all users of all Certificate Authorities and every type of certificate. Those who rely on very long-life certificates will be able to get new 3-year certificates until March 2018, which will secure their sites until June 2020. At that time they will need to be prepared for 2-year certificate replacements and should also keep an eye out for the maximum SSL certificate validity to shorten even more as the industry moves toward a yearly model.
Long-life certificates create problems for the industry because they place a lengthy lower-bound on changes. For example, any ballot or regulation that was to change today would not be fully in effect for 39 months when all existing certificates expire. While long-life certificates allow individual users to spend less time reinstalling certificates, it creates too many problems for the ecosystem.
Beyond CAB Forum Ballot 193
Last month Google proposed its own ballot, which would have limited certificates to only 13 months. However, that ballot was widely opposed by both CAs and other browsers and was not passed.
The industry disagreed with Google’s specific changes – which would have quickly implemented a drastic reduction in the maximum allowed lifetime – but agreed that a serious move towards shorter lifetime was needed. CAB Forum Ballot 193 was proposed quickly after
Google has recently made its interests in shorter certificate maximums clear – citing the many security problems they pose. When its ballot failed, Google’s representative Ryan Sleevi suggested that Google may use other means to reduce maximums. As the distributor of a browser, Google is free to set requirements for certificates to be trusted in Chrome.
While those rules would not apply to any other browser, in practice, Google’s requirements would become the new standard if they were stricter than what the CAB Forum set. This is because SSL certificates need to be functional in all major browsers to be considered useful, and CAs would have no choice but to comply.
Sleevi has not recently made any statements about creating such a requirement and given that other browsers opposed 13-month certificates, it may be unlikely that Google puts a policy into place that the industry disagrees with.
Regardless of Google making a unilateral move, the industry will continue to pursue shorter certificate lifetimes. While these changes will happen slowly, all users of certificates should start mentally (and logistically) preparing themselves for a future with yearly renewals and replacements.