90-day digital certificates on the table
Google recently announced its plans to reduce the maximum validity for digital certificates from 398 days to 90 days. This change will have significant implications for organisations around the world, as it follows a trend of shrinking certificate lifespans.
Google intends to enforce this change through a policy update or a CA/B Forum Ballot Proposal. Organisations should prepare for the transition to shorter lifespans by automating the management of their digital certificates.
The Chromium Project announced on 03.03.2023 that as a part of their Root Program Policy that it’s time to promote modern infrastructures by requiring operators to rotate aging root CAs with newer ones:
a reduction of TLS server authentication subscriber certificate maximum validity from 398 days to 90 days. Reducing certificate lifetime encourages automation and the adoption of practices that will drive the ecosystem away from baroque, time-consuming, and error-prone issuance processes. These changes will allow for faster adoption of emerging security capabilities and best practices, and promote the agility required to transition the ecosystem to quantum-resistant algorithms quickly.
Decreasing certificate lifetime will also reduce ecosystem reliance on “broken” revocation checking solutions that cannot fail-closed and, in turn, offer incomplete protection. Additionally, shorter-lived certificates will decrease the impact of unexpected Certificate Transparency Log disqualifications.
– The Chromium Project
The aim is to move away companies away from manual renewal and installation processes towards automation. This will help reduce risk and avoid outages and breaches caused by incorrect use or renewal of certificates.
Is Google capable of pushing the industry to adopt shorter certificate lifespans?
While only the CA/B Forum has the authority to mandate lifespans for certificates, web browsers have the freedom to set their own root program requirements, which includes certificate lifespans. Google Chrome, with its substantial market share, has the power to influence the industry by implementing changes that would become the norm. Google has shown a willingness to cooperate by proposing that the change to 90-day certificate lifespans could be implemented as a policy update or a CA/B Forum Ballot Proposal in the future.
The reduction of the lifetime of digital certificates to 90 days has not yet been finally decided. It is a proposal of the Chrome team that still has to be discussed in the CA/Browser Forum. A decision is expected sometime in 2023. It’s likely organisation will be given time to adjust to any new agreed policy changes, but it is time to start planning around this possible outcome.
brandsec is planning for this event
We recognise that it’s important for our Clients to consider managing digital certificates with shorter lifespans. With the number of digital certificates organisations are required to manage growing rapidly, the risk of outage or breach also increases. Manual renewal and deployment of each server certificate more than four times per year will be incredibly difficult and time-consuming, especially for organisations with dozens, hundreds, or thousands of digital certificates.
Brandsec will be working with partners adapt to the 90-day certificate changes and provide whatever support necessary to help our customers and partners avoid any disruptions. We will update the API and plugins as needed and/or provide any new tools. We will also provide any personalized assistance through our integration services. Our solution will be able to automate all certificate processes from discovery to inventory to monitoring, and to renewals, replacements, and deployments and handle large volumes of certificates with ease (including automatic alerts and notifications for expiring or revoked certificates). More will follow shortly.
About brandsec
brandsec is an Australian domain name management provider that offers online brand management solutions to corporate and government organisations.
Our services include domain name management, domain name security, domain name policy development, dispute management, monitoring, and enforcement services. Additionally, brandsec offers a comprehensive online brand protection service that covers various platforms such as websites, social media, email, and online marketplaces. The service addresses issues related to counterfeiting, fakes, copyright infringement, intellectual property (IP) matters, piracy, and other intellectual protection-related issues.