Skip to main content
banner image
venafi logo

Jury Out on Whether Reducing Certificate Lifetimes Would Actually Improve Security

Jury Out on Whether Reducing Certificate Lifetimes Would Actually Improve Security

man shrugging his shouldders, torso shot, dressed in business attire
August 15, 2019 | David Bisson

Industry analysts are currently debating whether a proposal that would reduce the lifetime of digital certificates to a little over a year would actually do anything to improve website security.

 

During a meeting of the CA/Browser Forum’s Server Certificate Working Group on 25 July, Google developer Ryan Sleevi announced that he was close to finishing a draft proposal that would seek to cut back the maximum lifetime of HTTPS certificates to 13 months.
 




This isn’t the first time that someone has proposed shortening certificate lifetimes. Back in February 2017, for instance, members of the CA/Browser Forum collectively voted to pass Ballot 193. This action effectively reduced the maximum lifetime for DV and OV certificates from 39 months to 825 days—approximately 27 months.
 

Patrick Nohe, Editor-in-Chief of Hashed Out, said it therefore makes sense that the community is now moving to even shorter lifetimes. In his mind, this ongoing progression reflects an important consideration in the realm of digital certificates.


Certificate expire? Cybercriminals can find them on the Dark Web.

 

"Overall, shorter is better for security. There’s no arguing that. In terms of its real-world impact, this is going to make automation even more important in a certificate management context. It also might force CAs to re-assess their business model and move towards a subscription-based approach. The ballot calls for the new rule to go into effect March 1. We’ll see if that date gets pushed back to accommodate the CAs." 

Digital security writer Kim Crawley agreed with Nohe’s assessment.
 


“Shorter time durations for HTTPS certificates sounds like a great idea to me. Sometimes certs are breached,” noted Crawley. “A cert that lasts 13 months instead of 27 reduces the scope of data compromise when that happens. Proper machine identity management can handle the greater frequency of certificate deployment so users won't even have to worry about the CA/Browser Forum proposal if it's implemented, and it should improve web security.”
 

Security researcher Scott Helme takes the same tact, emphasizing that shorter certificate lifetimes will push the need for automation, ultimately leading to better health for PKI as a whole:
 


"The proposal to further reduce certificate lifetime is another positive step towards improving the PKI ecosystem. A shorter lifetime on certificates gives us more agility, reduces concerns around revocation and a lack of Forward Secrecy by allowing more frequent key rotation, to name just a few benefits.

 

If we look at the lifetime of certificates across history, they have only every been reduced, never increased. This latest proposal is a continuation of that trend and demonstrates the recent advances in the maturity of the ecosystem. With shorter certificate lifetimes comes a great encouragement to automate, and with more automation comes better security, reliablility and availability. 

Not everyone believes that shorter certificate lifetimes will improve security, however. For instance, DigiCert Technical Strategist Timothy Hollebeek recently argued that instituting shorter lifetimes could burden organizations with significant costs in terms of testing each certificate under an enterprise change management procedures.
 


He went on to say that the proposal would do nothing to combat malicious websites, as they tend to operate for very short time periods of weeks or months.
 

Mark Miller, director of customer support at Venafi, went on to assert that big organizations could simply skirt around forced certificate life spans by getting an exception and/or paying a little extra money. Because of that, Miller said a shortened lifetime for certificates wouldn’t have any meaningful impact on security.
 

UPDATE from Mark (responding to Social Media feedback): "We never condone and definitely never advocate skirting critical security measures. And, we all agree that shorter certificate lifespans definitely improve security. Although my initial comments may seem a bit pessimistic but they literally reflect what I have seen in some large organizations."
 


"I tend to agree with DigiCert [Hollebeek] that controlling certificate lifespans as a security measure is theoretical. In practice, organizations that actually enforce the security controls and policies that they have in place as well as use automation to quickly rotate compromised keys will reduce risk security risks substantially. This is not theoretical at all.
 

Perhaps they’re right. Maybe shorter lifetime certificates don’t have any significant effect on digital security. But even if that’s true, it doesn’t mean that adopting shorter lifetime certificates isn’t purposeful for organizations."
 

Ash Pala, global security architect at Venafi, highlights this point:
 


"From what I observe, limiting life-span of public-facing certs to 13 months is generally in line with the policies and goals of businesses that have embraced the agile or DevOps approach for their interactive / transactional websites where the volume of short-lived certificates continues to rise. The counter argument presented by DigiCert that certificates usage on fake websites is rising and that these very short-lived domains are specifically designed for malicious intent is in many ways a very different problem that certificate lifecycle will not affect."


The future of Sleevi’s latest proposal remains unclear as of this writing. Until the CA/Browser Forum officially votes on it, industry experts will no doubt continue to debate the merits of adopting shorter certificate lifetimes. In the meantime, Venafi global security architect Jens Sabitzer feels there are certain certificate issues on which everyone can reach agreement.
 


“Organizations are seeing certificate use increase dramatically,” Sabitzer pointed out. “The only way organizations will be able to keep up with both of these changes is to invest in a machine identity protection program that leverages automation. And, if you assume the downward pressure on certificate lifespans will continue and that certificate use will continue to increase, this investment is the only way organizations will be able to remain competitive since more and more of every business is digital."

 

Learn how the Venafi platform uses automation to strengthen your organization’s machine identity protection program.
 

Related Posts

 

Subscribe to our Weekly Blog Updates!

Join thousands of other security professionals

Get top blogs delivered to your inbox every week

See Popular Tags

You might also like

Code signing, code signing certificate, infosec

5 Best Practices to Secure Your Code Signing Process

code signing, private keys, pki

Code Signing Credentials Are Machine Identities and Need to Be Protected

man in a car

Can Code Signing Be Both Fast and Secure?

About the author

David Bisson
David Bisson

David is a Contributing Editor at IBM Security Intelligence.David Bisson is a security journalist who works as Contributing Editor for IBM's Security Intelligence, Associate Editor for Tripwire and Contributing Writer for Gemalto, Venafi, Zix, Bora Design and others.

Read Posts by Author
get-started-overlay close-overlay cross icon
get-started-overlay close-overlay cross icon
Venafi Risk assessment Form Image

Sign up for Venafi Cloud


Venafi Cloud manages and protects certificates



* Please fill in this field Please enter valid email address
* Please fill in this field Password must be
At least 8 characters long
At least one digit
At last one lowercase letter
At least one uppercase letter
At least one special character
(@%+^!#$?:,(){}[]~`-_)
* Please fill in this field
* Please fill in this field
* Please fill in this field
*

End User License Agreement needs to be viewed and accepted



Already have an account? Login Here

×
get-started-overlay close-overlay cross icon

How can we help you?

Thank you!

Venafi will reach out to you within 24 hours. If you need an immediate answer please use our chat to get a live person.

In the meantime, please explore more of our solutions

Explore Solutions

learn more

Email Us a Question

learn more

Chat With Us

learn more
Chat