Discussing Benefits of Shorter, 13-Month SSL Certificate Validity

March 9, 2017 | By  

Well, the CAB Forum ( Certificate Authority and Browser Forum) voting on the ballot to reduce SSL certificate lifespan to a maximum of 13 months is something that’s currently being discussed by security experts and analysts all over.

The Certificate Authority and Browser Forum is a self-organized industry body, which, as stated in the Forum’s bylaws, “advances industry best practices to improve the ways that certificates are used to the benefit of Internet users and the security of their communications.”

Discussing Benefits of Shorter, 13-Month SSL Certificate Validity

CAB Forum Ballot 185, which has been proposed by Ryan Sleevi of Google, intended lowering the maximum allowed lifetime of all types of SSL certificates to 13 months. This would amount to a having a validity of one year plus a “buffer” period of one month. (SSL certificates are currently issued for up to 39 months, and for EV certificates, the limit is 27 months).

The Certificate Authorities (CAs) are mostly against this; they opine that their customers are not yet ready for such a development, ie, a yearly replacement of SSL certificates. It might not matter for someone who manages a single certificate, but for enterprises that deploy many, even thousands of certificates at a time, this may be a pain.

On the other hand, Google (and even Mozilla) seem to think that it’s time that long-life certificates are done away with. They think that SSL certificates with shorter validity periods could help have a healthier industry and also helps ensure better security.

Well, take a more analytical look at things and you’d realize that having shorter validity periods for SSL certificates is after all good. On the one hand, it helps adopt new policies and cryptography rather quickly. Possible damage of certificate is issuance too is minimized. Having shorter validity periods also would encourage enterprises/organizations to take a more proactive stance on certificate management and it would also make them update their configurations on a more frequent basis. We should remember that sometimes having SSL certificates with longer validity makes companies adopt a rather dismissive stance towards the importance of SSL certificates. It also leads to instances of having expired certificates, neglected configurations etc.

The change that Google seeks to bring in does seem drastic. Still, when we think of it from the perspective of overall security and the benefits to the enterprises, we’d be convinced that it’s good going in for short-term validity for SSL certificates. It’s just that CAs would have to improve their enterprise-level tools so as to make the renewal/re-issuance easy and also that they have to prepare their customers for such big, sometimes drastic, changes.


Posted in SSL,SSL Certificate

Be Sociable, Share!

Leave a Comment


* fields are mandatory