A decision taken by Apple in February 2020 has reverberated through the browser world. The Certificate Authority industry has been pushed into reluctantly embracing a new mandatory 398-day life cycle for SSL/TLS certificates.
Browsers and apps from Apple, Google, and Mozilla will display errors for new TLS certificates with a lifetime of more than 398 days beginning September 1, 2020.
The CA/B forum and the TLS lifespan
The move is essential because it changes not only how TLS certificates work, but also because it breaks away from regular industry practices and browser and CA cooperation.
Known as the CA/B Group, this is a voluntary community composed of Certificate Authorities (CAs). The companies issuing TLS certificates protect the HTTPS traffic and developers. Since 2005, this community has made rules on how to issue TLS certificates and how browsers can handle and validate those certificates.
Browsers and CAs usually debated upcoming rules before they found common ground. They then adopted rules enforced by all members. Throughout its 15-year history, however, there has been one subject that always ruffled feathers whenever it was presented--and that is the lifetime of TLS certificates.
TLS lifespans began at eight years, and browser makers have chipped away at it over the years, bringing it down to five, and then three, and then two.
TLS Certificates shortened again
The latest reform took effect in March 2018 when browser developers attempted to shorten the lifetime of SSL certificates from three years to one but compromised for two years after an aggressive pushback from CAs.
However, barely a year passed after they cut the lifetime of the TLS from three to two years, browser makers have again attempted to change it to the dismay of CAs, who at that point thought they had found a consensus and put the matter to bed.
As noted by ZDNet last summer, browser vendors once again attempted to extend the lifetime of TLS certificates from two to a year. In September 2019, the vote on that proposal, called by Google, failed. While the plan received 100% support from browser developers, only 35% of CAs voted to accept a lifetime of a one-year TLS certificate.
Browser vendors overrule the CA/B Forum.
However, Apple violated the standard operating procedure for the CA/B Platform in February, ZDNet reported. Instead of calling for a vote, Apple clearly announced its decision to enforce 398-day life spans on its apps, regardless of what the CAs in the CA / B Forum thought of the matter.
Mozilla revealed the same two weeks later, and Google has followed up with a similar statement earlier this month.
What took place this year is, in no simpler terms, a demonstration that browser makers are manipulating the CA / B Platform, keeping full control over the HTTPS ecosystem, and that CAs are pure participants with no real influence.
HashedOut, a CA-friendly news site dedicated to the CA industry, also predicted what happened this year. "If the CAs vote this measure down [the September 2019 ballot], there's a chance the browsers could act unilaterally and just force the change anyway," the site wrote in August 2019, a month before the vote.
"That's not without precedent, but it's also never happened on an issue that is traditionally as collegial as this," it added. "If it does, it becomes fair to ask what the point of the CA/B Forum even is. Because at that point, the browsers would basically be ruling by decree, and the entire exercise would just be a farce."
What does this mean after September 1, 2020?
For certificate authorities: If they want to be accepted in Apple, Google, and Mozilla browsers for the TLS certificates, the certificates must not have a lifetime of more than 398 days. If not, the certificate will issue an error and the connections will be dropped.
For website owners: Instead of two years, they will have to renew TLS certificates every year.
For end-users: You can see more HTTPS errors in your browsers.