July 26, 2019 Google reduce the maximum validity period for SSL/TLS server certificates from the current 825 days to 397 days (about 13 months), i.e. by about half. Google believes that only fully automated actions with certificates will get rid of the current security problems, which are often attributed to the human factor. Therefore, ideally, one should strive for automated issuance of short-lived certificates.
The issue was voted on by the CA/Browser Forum (CABF), which sets the requirements for SSL/TLS certificates, including the maximum validity period.
And now September 10 : consortium members voted ΠΏΡΠΎΡΠΈΠ² offers.
The results
Certificate Publisher Voting
For (11 votes): Amazon, Buypass, Certigna (DHIMYOTIS), certSIGN, Sectigo (former Comodo CA), eMudhra, Kamu SM, Let's Encrypt, Logius, PKIoverheid, SHECA, SSL.com
Against (20): Camerfirma, Certum (Asseco), CFCA, Chunghwa Telecom, Comsign, D-TRUST, DarkMatter, Entrust Datacard, Firmaprofesional, GDCA, GlobalSign, GoDaddy, Izenpe, Network Solutions, OATI, SECOM, SwissSign, TWCA, TrustCor, SecureTrust (former trustwave)
Abstained (2): HARICA, TurkTrust
Certificate Consumer Voting
For (7): Apple, Cisco, Google, Microsoft, Mozilla, Opera, 360
ΠΡΠΎΡΠΈΠ²: 0
abstained: 0
According to the rules of the CA/Browser Forum, two-thirds of certificate issuers and 50% plus one vote among consumers must vote for a positive decision.
Representatives of Digicert for skipping the vote, where they would have voted in favor of reducing the validity of certificates. They note that for some customers, shortening the expiration date may be a problem, but in the long run, this provides security benefits.
One way or another, but the industry is not yet ready to reduce the validity of certificates and completely switch to automated solutions. CAs themselves may offer such services, but many customers have not yet implemented automation. Therefore, the reduction of terms to 397 days is still postponed. But the question remains open.
Now Google can try to implement the standard "forcibly", as it did with the protocol . Moreover, it is supported by other developers: Apple, Microsoft, Mozilla and Opera.
Recall that full automation is one of the principles on which the work of the non-profit certification authority Let's Encrypt is based. It issues free certificates to everyone, but the maximum lifetime of the certificate is limited to 90 days. Short lifetimes of certificates :
- limiting damage from compromised keys and incorrectly issued certificates, as they are used for a shorter period of time;
- short-lived certificates support and encourage the automation that is absolutely essential to the ease of use of HTTPS. If we're going to migrate the entire World Wide Web to HTTPS, then we can't expect to manually renew certificates from the administrator of every existing site. Once the issuance and renewal of certificates becomes fully automated, shorter certificate lifetimes will become more convenient and practical.
showed that 73,7% of respondents are "rather supportive" of reducing the validity of certificates.
As for hiding the EV icon for SSL certificates in the address bar, the consortium did not vote on this issue, because the issue of browser UI is entirely the responsibility of developers. In September-October, new versions of Chrome 77 and Firefox 70 will be released, which will deprive EV certificates of a special place in the browser's address bar. Here's what the change looks like on the desktop version of Firefox 70:
It was:
Will be:
According to security specialist Troy Hunt, removing EV information from the address bar of browsers .
Source: habr.com