At the most recent CA/Browser Forum (CABF) meeting in late February, Google announced its Moving Forward, TogetherMoving Forward, Together direction. This initiative includes a proposal to reduce the maximum TLS certificate validity and domain validation reuse period from the current 398 days to 90 days, which will impact many certificate subscribers. Google’s justification states:
“Reducing certificate lifetime encourages automation and the adoption of practices that will drive the ecosystem away from baroque, time-consuming, and error-prone issuance processes. These changes will allow for faster adoption of emerging security capabilities and best practices, and promote the agility required to transition the ecosystem to quantum-resistant algorithms quickly. Decreasing certificate lifetime will also reduce ecosystem reliance on “broken” revocation checking solutions that cannot fail-closed and, in turn, offer incomplete protection.”
The 90-day certificate validity does not appear to be the goal, but it’s used to encourage automation to enable faster replacement of certificates. Entrust also encourages this type of direction, as we have seen some of the certificate subscriber’s biggest issues are certificate expiry and inability to replace mis-issued certificates at a rapid pace. Automation would help to mitigate these issues.
To date, the CABF has had no discussions, proposals, or ballots on changing TLS certificate maximum validity period lifetimes to 90 days. We expect that any ballot to shorten the certificate validity period would take six months to a year to conclude. Also, the results of a Google survey presented to the CABF indicates that Automatic Certificate Management Environment (ACME, RFC 8555) is not yet ubiquitous and 58.3% of CA owners included in the Chrome Root Store do not offer ACME services. As such, we believe there will be a substantial grace period to not only allow CAs to implement ACME, but also to allow subscribers and service providers such as platform/software as a service (PaaS/SaaS) and content delivery networks (CDNs) to deploy ACME on their servers or platforms in a way that gives the subscriber the ability to decide which CA or type of certificate (OV/EV/QWAC) they would like to request and provision.
Even if CAs and other browsers don’t share Google’s objectives, there is a chance that Google could unilaterally make this change in its root program and force the entire industry in this direction in a time of their choosing. We hope that browsers will not make this decision unilaterally, but instead allow the decision to be made with broad industry and website owner consensus.
Another issue is that Google has presented no public research or factual data showing that such a change to the ecosystem is necessary or useful in many use cases. We believe there will be much discussion before a 90-day ballot will pass at the CABF as several CAs have indicated that a requirement for 90-day certificates might have far-reaching implications. There have also been several EU governmental bodies concerned over the market and competitive implications of Google’s proposal and the impact on eIDAS Qualified Website Authentication Certificate objectives, which are now being reasserted in the EU’s update of its eIDAS legislation.
Entrust does not believe that a maximum 90-day limit for TLS certificate lifetimes is the only method to drive automation and the deployment of ACME. Additionally, Entrust doesn’t believe that ACME is the only method for automation, or that it would be accepted by some of the most complex subscriber secure server deployments. Rather, we believe subscribers should be encouraged to deploy automation, but do not need to be discouraged by the cost and complexity of certificates with 90-day maximum validity.
While Entrust is not currently in favor of a mandatory 90-day certificate limit, we have no objection to 90-day certificates if that is what a website wants to use. We are always working to improve or extend its validation, issuance, and management processes, including greater use of automation through integrations with certificate lifecycle management (CLM) solutions such as Entrust Certificate Hub, AppViewX, Venafi, and ServiceNow, as well as automation through ACME v2, CMP, SCEP, and other new methods.
We understand that this Google proposal may be causing our customers considerable concern. In accordance with Google’s instructions on its Chrome Root Program Policy, we encourage customers to direct any questions or input regarding the Google proposal to [email protected]; please feel free to share a copy with us at [email protected].
We are closely monitoring this situation and we will keep you posted as new information becomes available.