SSL Validity Limiting to One Year: Grab Yours Before Price Hike



The Certification Authority Browser Forum, also known as CA/Browser Forum, is all set to half the life of a SSL certificate. CA/B Forum is also limiting the maximum re-use of domain validation data and organisation data to maximum of 397 days (must not exceed 398 days).

Though it is not mentioned in the ballot but it is presumed that this ballot will not affect the digital certificates like Personal Authentication Certificate.

The ballot not only limited to validity of certificate but also validity of the organization data that will expire with expiry of the certificate. Therefore each website which is using either organization validation (OV) or extended validation (EV) certificate must have to go through the organization validation process every year.
Google came up with opinion that the less validity will keep the organisation data fresh, accurate and complete which is necessary for SSL security and reliability.
This Ballot modifies the Baseline Requirements and EV Guidelines to harmonize on a 397-day Validity Period on 1 March 2020, two years after the adoption of the 825-lifetime of Ballot 193 (and subsequently modified by Ballot 197). Ryan Sleevi from Google have made consensus among the forum members (CAs and Browsers).

History And Future Of SSL Validity

This isn’t the beginning and also not the end of reducing the ssl validity. CA/B Forum change the validity from 8 years to 5 years and then 3 years and after those 2 years in 2017. Now it is all set to turn down it to 1 year from March, 2020 onward.
Addressing the question and concern of CA’s on future of SSL capping, Ryan Sleevi from Google clarify, “I think if this is the path CAs wanted to take, it would have been more useful when Gerv and I suggested this as a possible intermediate path.

However, I think it's important to highlight that 13 months is the intermediate step - if we treated lifetimes the same way we, as an industry, were able to collectively address the many security holes in existing CA practices around validation, then I think we'd be moving to an end state closer to, say, 94 days.”

The choice of 397 days represents the maximum legitimate interpretation of a "thirteen-month" period; it's calculated from 366 days (considering leap years) along with a 31-day month, the longest in the calendar used by certificates.

And the “Must Not Exceed 398 days” also accommodate the different time zones and any other unexpected error. What About Existing Two Year Certificates?

Many CA’s are not happy with this ballot for a number of reasons and suggesting some changes or improvements. CAs raising a concern and said, “We want to avoid a cliff where customers and CAs have a mass number of domain and Organizational SSL verifications to do all at once.” Ryan Sleevi again clarifies that the existing certificates will not expire, before their expiry. It resolves the issue and feels the certificate owners relaxed because their existing certificates will have no issue with this ballot.

Apple is supportive of this proposal and will endorse it with some additional clarification in an implementation note or some other addressing of the issue of the partial day ambiguity.

Benefits Of Capping The Certificate Validity

Let's Encrypt would like to co-sponsor this ballot and claiming that they are issuing certificates with a maximum lifetime of 90 days since 2015, and have found that it works well, and is good for ecosystem security and reliability. 

Shorter certificate lifetimes encourage Subscribers to automate their issuance and installation workflow. This helps reliability by reducing missed renewals caused by someone forgetting to renew on time. That, in turn, improves security because Relying Parties are less likely to see expired certificate warnings.

 Less click-through on warnings means that more data is properly secured by certificates, increasing the value of certificates overall. Shorter certificate lifetimes also reduce the impact of certificates issued as a result of attacks (BGP hijacking, DNS credential compromise, etc).

Also, shorter certificate and validation lifetimes mean that when a validation method turns out to be weak, it can be disabled and removed quickly.

It used to be the case that Subscribers were reluctant to automate any part of certificate deployment because it was considered risky. There are now many more solutions for automating deployment safely, and much more understanding among Subscribers of the benefits that automation brings.

CA’s Willing to Delay the Deadline

Almost all CAs are willing to sign in favour of ballot but with some terms and conditions.

Some are willing to delay the deadline of March 2020 for 2 to 3 years simply because they need time to update and acclimatize the environment for one year validity scenario. The sudden shift to the new environment is certainly going to harm the CAs as well as SSL certificate users.

CAs are also describing the situations which were during previous transition and also advocating for avoiding the situation which is happening after every two years.

Sectigo is willing to endorse this ballot, but we have a couple of concerns, primarily around timing of implementation and future validity period changes. On the other hand Ryan Sleevi blames the CAs themselves that they are only stakeholders who are willing to proceed step by step to achieve the 94 days validity capping for SSL certificates and organisation data.

New Pricing With New Validity

As CAs are concerned about the environment setup and more staff engagements, both of these issues are going to raise the cost of issuance and validation.

No doubt costs are expected to go little upside because there will be no option to purchase for two years with highly discounted prices.

End Note

The organizations using the OV SSL or EV SSL certificate must be ready to verify their organization data every year with their CA. Software developers using the Code Signing certificates are also requires to update the organization data before signing a build. Other website administrators should keep in diary that they need to reinstall the certificate every year.

If possible just renew the ssl certificate before March 2020 and enjoy two years validity.