Chromium developers
The condition applies to all public server certificates issued after September 1, 2020. If the certificate does not match this rule, the browser will reject it as invalid, and specifically respond with an error ERR_CERT_VALIDITY_TOO_LONG
.
For certificates received before September 1, 2020, trust will be maintained and
Previously, the limit on the maximum lifetime of certificates was introduced by the developers of the Firefox and Safari browsers. Change too
This means that websites using long-life SSL/TLS certificates issued after the cut-off point will generate privacy errors in browsers.
Apple was the first to announce the new policy at a CA/Browser forum meeting.
Reducing certificate lifetimes has been discussed by Apple, Google, and other CA/Browser contributors for months now. This policy has its advantages and disadvantages.
The goal of this move is to improve website security by making sure developers use certificates with the latest cryptographic standards, and to reduce the number of old, forgotten certificates that could potentially be stolen and reused for phishing and malicious drive-by attacks. If attackers can break the cryptography in the SSL/TLS standard, short-lived certificates will allow people to move to more secure certificates in about a year.
Reducing the validity period of certificates has some disadvantages. It has been noted that by increasing the frequency of certificate replacements, Apple and others are also making things a little more difficult for site owners and companies that need to manage certificates and compliance.
On the other hand, Let's Encrypt and other certificate authorities encourage webmasters to implement automated procedures for renewing certificates. This reduces human overhead and the risk of errors as the frequency of certificate replacement increases.
As you know, Let's Encrypt issues free HTTPS certificates that expire after 90 days and provides tools to automate renewal. So now these certificates fit even better into the overall infrastructure - as browsers set a limit on the maximum validity period.
This change was put up for a vote by members of the CA/Browser Forum, but the decision
The results
Certificate Publisher Voting
For (11 votes): Amazon, Buypass, Certigna (DHIMYOTIS), certSIGN, Sectigo (former Comodo CA), eMudhra, Kamu SM, Let's Encrypt, Logius, PKIoverheid, SHECA, SSL.com
Against (20): Camerfirma, Certum (Asseco), CFCA, Chunghwa Telecom, Comsign, D-TRUST, DarkMatter, Entrust Datacard, Firmaprofesional, GDCA, GlobalSign, GoDaddy, Izenpe, Network Solutions, OATI, SECOM, SwissSign, TWCA, TrustCor, SecureTrust (former trustwave)
Abstained (2): HARICA, TurkTrust
Certificate Consumer Voting
For (7): Apple, Cisco, Google, Microsoft, Mozilla, Opera, 360
ΠΡΠΎΡΠΈΠ²: 0
abstained: 0
Browsers now enforce this policy without the consent of CAs.
Source: habr.com