Industry analysts are currently debating whether a proposal that would reduce the lifetime of digital certificates to a little over a year would actually do anything to improve website security.
During a meeting of the CA/Browser Forum’s Server Certificate Working Group on 25 July, Google developer Ryan Sleevi announced that he was close to finishing a draft proposal that would seek to cut back the maximum lifetime of HTTPS certificates to 13 months.
This isn’t the first time that someone has proposed shortening certificate lifetimes. Back in February 2017, for instance, members of the CA/Browser Forum collectively voted to pass Ballot 193. This action effectively reduced the maximum lifetime for DV and OV certificates from 39 months to 825 days—approximately 27 months.
Patrick Nohe, Editor-in-Chief of Hashed Out, said it therefore makes sense that the community is now moving to even shorter lifetimes. In his mind, this ongoing progression reflects an important consideration in the realm of digital certificates.
"Overall, shorter is better for security. There’s no arguing that. In terms of its real-world impact, this is going to make automation even more important in a certificate management context. It also might force CAs to re-assess their business model and move towards a subscription-based approach. The ballot calls for the new rule to go into effect March 1. We’ll see if that date gets pushed back to accommodate the CAs."
Digital security writer Kim Crawley agreed with Nohe’s assessment.
“Shorter time durations for HTTPS certificates sounds like a great idea to me. Sometimes certs are breached,” noted Crawley. “A cert that lasts 13 months instead of 27 reduces the scope of data compromise when that happens. Proper machine identity management can handle the greater frequency of certificate deployment so users won't even have to worry about the CA/Browser Forum proposal if it's implemented, and it should improve web security.”
Security researcher Scott Helme takes the same tact, emphasizing that shorter certificate lifetimes will push the need for automation, ultimately leading to better health for PKI as a whole:
"The proposal to further reduce certificate lifetime is another positive step towards improving the PKI ecosystem. A shorter lifetime on certificates gives us more agility, reduces concerns around revocation and a lack of Forward Secrecy by allowing more frequent key rotation, to name just a few benefits.
If we look at the lifetime of certificates across history, they have only every been reduced, never increased. This latest proposal is a continuation of that trend and demonstrates the recent advances in the maturity of the ecosystem. With shorter certificate lifetimes comes a great encouragement to automate, and with more automation comes better security, reliablility and availability.
Not everyone believes that shorter certificate lifetimes will improve security, however. For instance, DigiCert Technical Strategist Timothy Hollebeek recently argued that instituting shorter lifetimes could burden organizations with significant costs in terms of testing each certificate under an enterprise change management procedures.
He went on to say that the proposal would do nothing to combat malicious websites, as they tend to operate for very short time periods of weeks or months.
Mark Miller, director of customer support at Venafi, went on to assert that big organizations could simply skirt around forced certificate life spans by getting an exception and/or paying a little extra money. Because of that, Miller said a shortened lifetime for certificates wouldn’t have any meaningful impact on security.
UPDATE from Mark (responding to Social Media feedback): "We never condone and definitely never advocate skirting critical security measures. And, we all agree that shorter certificate lifespans definitely improve security. Although my initial comments may seem a bit pessimistic but they literally reflect what I have seen in some large organizations."
"I tend to agree with DigiCert [Hollebeek] that controlling certificate lifespans as a security measure is theoretical. In practice, organizations that actually enforce the security controls and policies that they have in place as well as use automation to quickly rotate compromised keys will reduce risk security risks substantially. This is not theoretical at all.
Perhaps they’re right. Maybe shorter lifetime certificates don’t have any significant effect on digital security. But even if that’s true, it doesn’t mean that adopting shorter lifetime certificates isn’t purposeful for organizations."
Ash Pala, global security architect at Venafi, highlights this point:
"From what I observe, limiting life-span of public-facing certs to 13 months is generally in line with the policies and goals of businesses that have embraced the agile or DevOps approach for their interactive / transactional websites where the volume of short-lived certificates continues to rise. The counter argument presented by DigiCert that certificates usage on fake websites is rising and that these very short-lived domains are specifically designed for malicious intent is in many ways a very different problem that certificate lifecycle will not affect."
The future of Sleevi’s latest proposal remains unclear as of this writing. Until the CA/Browser Forum officially votes on it, industry experts will no doubt continue to debate the merits of adopting shorter certificate lifetimes. In the meantime, Venafi global security architect Jens Sabitzer feels there are certain certificate issues on which everyone can reach agreement.
“Organizations are seeing certificate use increase dramatically,” Sabitzer pointed out. “The only way organizations will be able to keep up with both of these changes is to invest in a machine identity protection program that leverages automation. And, if you assume the downward pressure on certificate lifespans will continue and that certificate use will continue to increase, this investment is the only way organizations will be able to remain competitive since more and more of every business is digital."