CAB Forum Reduces Maximum Certificate Validity to 825 Days

Last year, Google’s Ryan Sleevi, one of the leading engineers on its Chrome browser, proposed Ballot 185 at the CAB Forum. The CAB Forum is a collective of Certificate Authorities and Browsers that acts as a de facto regulatory body for the SSL industry, Ballot 185 sought to shorten the maximum lifespan of an SSL certificate to just 18 months.

The Ballot was supported by Google and Mozilla but voted down almost unanimously by the CAs. Still, the message had been sent. Shorter certificate validity was coming.

Fast forward a few months to Ballot 193, a more measured attempt to shorten the maximum validity of a certificate. Instead of slicing the max validity in half to 18 months, it sought to reduce the max validity of Domain Validated and Organization Validated SSL certificates to the same max length as Extended Validation certificates, 825 days (24 months for new certificates, up to 27 for renewals).

Why Shorter SSL Certificate Validity is desirable

While your first inclination may be to blame this on the CAs and call this a marketing ploy, that’s not accurate. In fact, most CAs, advocating for their customers, didn’t even want to shorten maximum validity to two years. Many companies and organizations are managing tens or even hundreds of certificates and lack the infrastructure to automate the process. This creates a lot of friction and isn’t ideal.

The push came from the browsers and free CAs like Let’s Encrypt. The reason, they argue, that shorter is better is two-fold.

On the one hand, if you’re going to be validating identity – anything from site control on up to extended validation – it’s important that the entity you’re validating checks back in every so often to ensure that nothing has changed. This is no different from renewing a driver’s license, after a certain period of time you have to go back and update your information, take a new picture—things to ensure that the identifying information you provided is still accurate.

You can see why this would be important online, where trust can be an issue. Here’s an example, say a website passes into different hands. Maybe someone forgot to renew and a squatter got it. If the CA never checks in with the entity that owns the site, the new owner can easily impersonate the original one and do all kinds of nefarious things.

So, shorter validity means the CAs keep better tabs on the identities of the organizations and people that are requesting the certificates.

The second, and more important reason that shorter is better comes down to security. With every day that goes by, technology is evolving. As new technology grows, older technology becomes outdated. This is especially true with cipher suites – the group of support ciphers and algorithms that are used to facilitate an encrypted connection. If you purchase a 3-year certificate, over those three years some of the algorithms and protocol versions that are supported may have vulnerabilities discovered or weaknesses exposed. You don’t want to go three years between getting your security implementation updated. That’s bad security.

How much shorter will certificate lifespans get?

Let’s Encrypt issues 90-day certificates and many in the infosec community even think that’s too long. In other contexts (for instance with HSTS headers), Google is on the record as saying 10 weeks (70 days) was the maximum period that validation information is good for. That’s just a little over two months.

On the other hand, most CAs will admit that in the past, 5 years was probably too long, and even 3 potentially opens up issues. Two was the compromise, for now. However, don’t be surprised if in the future Google submits its original ballot again and max validity gets shortened to 12 or 15 months.

Originally posted on Mon Apr 3, 2017