In recent years, the relationship between Certificate Authorities (CAs), browsers, and end-users has become increasingly strained. The latest controversy stems from Apple's proposal to reduce the lifespan of SSL/TLS certificates to just 45 days by 2027, citing security concerns. While security is a valid priority, this proposal has sparked significant backlash from industry professionals, who argue that such a drastic change is unnecessary, impractical, and introduces more problems than it solves.
The Case Against Shorter Certificate Lifespans
Apple argues that shortening certificate lifespans improves security by ensuring that certificates remain accurate and reliable over time, reducing risks from outdated or incorrect data, misissued certificates, and inadequate revocation mechanisms, while also enabling faster responses to cryptographic vulnerabilities and encouraging automation in certificate management. However, these arguments fail to hold up under scrutiny for several reasons:
No Evidence of Long-Lifespan Issues. The current maximum lifespan for SSL/TLS certificates is 13 months (398 days). Despite this, there have been no significant incidents directly tied to the length of certificate validity. In fact, most security issues arise from other factors, such as misconfigured servers or phishing attacks, not from certificates being valid for too long.
Certificate Revocation Exists for a Reason. Apple's argument ignores the fact that certificate revocation mechanisms already exist to address situations where a certificate becomes invalid before its expiration date. For example, when a domain changes ownership, the new owner can request the CA to revoke any previously issued certificates. This process works well in practice, and if there are inefficiencies in revocation checks, the solution should be to improve these mechanisms; not to shorten certificate lifespans.
Revocation Mechanisms Can Be Improved. Apple has criticized the current state of certificate revocation checks, claiming they are inadequate. However, instead of forcing users to renew certificates every 45 days, browsers and CAs should collaborate to make revocation checks more efficient and reliable. Technologies like CRLsets and OCSP stapling already exist, and further innovation in this area could address Apple's concerns without introducing unnecessary burdens on users.
Practical Challenges of Shorter Lifespans
While Apple and other proponents of shorter certificate lifespans argue that it will improve security, they fail to consider the significant challenges this change would introduce:
Many embedded systems rely on SSL/TLS certificates. Automating the renewal process for these systems is often difficult or impossible due to their isolated nature and limited connectivity. A 45-day lifespan would create unnecessary complications for these critical systems.
Shorter certificate lifespans would force businesses to develop new workflows to automate certificate renewals. For many companies, especially small businesses or those with limited IT resources, this is a significant challenge. Even today, many websites still don't support HTTP/2, let alone have the infrastructure to handle frequent certificate renewals. Not every organization is like Cloudflare, which can easily adopt the latest standards.
Shortening certificate lifespans would lead to a massive increase in certificate issuance requests, putting additional strain on CA infrastructure. ACME servers, which automate certificate issuance for services like ZeroSSL, already experience occasional downtime due to high demand. A 45-day lifespan would exacerbate this issue, potentially leading to more frequent outages and delays.
Apple has positioned itself as an environmentally conscious company, but this proposal contradicts that stance. Shorter certificate lifespans would result in more frequent certificate requests, increasing energy consumption and contributing to a larger carbon footprint. This is a step backward for sustainability.
The Broader Problem: Browser Dominance
This proposal highlights a broader issue: the growing dominance of browsers in dictating internet standards. In recent years, browsers have unilaterally introduced changes without consulting the wider community. For example, Mozilla and other browsers recently reduced the maximum lifespan of root certificates to 15 years, bypassing the traditional CA/Browser Forum voting process. While these changes are often justified in the name of security, they can have unintended consequences.
Browsers' ability to impose new requirements without industry consensus raises concerns about accountability. certification authorities, which are supposed to play a central role in maintaining trust on the internet, are increasingly sidelined. This imbalance of power allows browsers to introduce restrictions that may not always align with the needs of users or the broader internet ecosystem.
A Call for Collaboration
Instead of imposing arbitrary restrictions, browsers and CAs should work together to address security concerns in a way that balances practicality and user needs. Improving certificate revocation mechanisms, enhancing automation tools, and fostering collaboration through the CA/Browser Forum are all more constructive approaches than simply shortening certificate lifespans.
Security is important, but it should not come at the expense of usability, reliability, or sustainability. While Apple's proposal may be well-intentioned, it is ultimately misguided. Shorter certificate lifespans introduce more problems than they solve, and the industry should focus on improving existing certificate status check mechanisms rather than creating unnecessary burdens for users. It's time for browsers, CAs, and the wider community to come together and find solutions that work for everyone.