July 26, 2019 Google
The issue was voted on by the CA/Browser Forum (CABF), which sets the requirements for SSL/TLS certificates, including the maximum validity period.
And now September 10
The results
Certificate Publisher Voting
For (11 votes): Amazon, Buypass, Certigna (DHIMYOTIS), certSIGN, Sectigo (former Comodo CA), eMudhra, Kamu SM, Let's Encrypt, Logius, PKIoverheid, SHECA, SSL.com
Against (20): Camerfirma, Certum (Asseco), CFCA, Chunghwa Telecom, Comsign, D-TRUST, DarkMatter, Entrust Datacard, Firmaprofesional, GDCA, GlobalSign, GoDaddy, Izenpe, Network Solutions, OATI, SECOM, SwissSign, TWCA, TrustCor, SecureTrust (former trustwave)
Abstained (2): HARICA, TurkTrust
Certificate Consumer Voting
For (7): Apple, Cisco, Google, Microsoft, Mozilla, Opera, 360
ΠΡΠΎΡΠΈΠ²: 0
abstained: 0
According to the rules of the CA/Browser Forum, two-thirds of certificate issuers and 50% plus one vote among consumers must vote for a positive decision.
Representatives of Digicert
One way or another, but the industry is not yet ready to reduce the validity of certificates and completely switch to automated solutions. CAs themselves may offer such services, but many customers have not yet implemented automation. Therefore, the reduction of terms to 397 days is still postponed. But the question remains open.
Now Google can try to implement the standard "forcibly", as it did with the protocol
Recall that full automation is one of the principles on which the work of the non-profit certification authority Let's Encrypt is based. It issues free certificates to everyone, but the maximum lifetime of the certificate is limited to 90 days. Short lifetimes of certificates
- limiting damage from compromised keys and incorrectly issued certificates, as they are used for a shorter period of time;
- short-lived certificates support and encourage the automation that is absolutely essential to the ease of use of HTTPS. If we're going to migrate the entire World Wide Web to HTTPS, then we can't expect to manually renew certificates from the administrator of every existing site. Once the issuance and renewal of certificates becomes fully automated, shorter certificate lifetimes will become more convenient and practical.
As for hiding the EV icon for SSL certificates in the address bar, the consortium did not vote on this issue, because the issue of browser UI is entirely the responsibility of developers. In September-October, new versions of Chrome 77 and Firefox 70 will be released, which will deprive EV certificates of a special place in the browser's address bar. Here's what the change looks like on the desktop version of Firefox 70:
It was:
Will be:
According to security specialist Troy Hunt, removing EV information from the address bar of browsers
Source: habr.com