Apple has proposed a ballot to gradually reduce SSL certificate maximum validity periods to 47 days. Their detailed explanation outlines several key points:

Background

• The changes only affect public SSL certificates used for web server authentication
• Private PKIs and other certificate use cases are not impacted
• Current requirements expect certificate replacement within 24 hours when needed

Approach

• Implementation will occur in phases over 3 years:
  • Year 1: 6-month maximum validity
  • Year 2: 3-month maximum validity
  • Year 3: 47-day maximum validity
• This gradual approach allows time to identify and address potential issues

Key Benefits

1. Improved certificate reliability as data remains more current
2. Reduced risks from domain ownership changes and incorrect information
3. Better mitigation of certificate misissuance impacts
4. Less reliance on imperfect revocation mechanisms
5. Enhanced cryptographic agility for algorithm changes
6. Increased adoption of automated certificate management

The proposal emphasizes that automation will be essential, as manual certificate management becomes impractical with shorter validity periods. While automation isn't the primary goal, Apple views increased automation adoption as a beneficial outcome that will improve the overall security and stability of the WebPKI ecosystem.

This marks a significant shift from historical practices of multi-year certificates and manual management, reflecting the evolving needs of internet security.

Related Articles

Previous Articles