Google is planning to make some changes to the lifetime of SSL certificates. The certificates would be valid for only one year rather than two years in that case.
Google’s employee Ryan Sleevi, presented the idea at a CA/B Forum’s F2F meeting held in June this year. For those who don’t know, CA/B Forum is basically a platform that is comprised of browser vendors, operating system and certificate authorities. This is an unofficial group that is responsible for establishing industry guidelines that govern digital certificates.
Brower Vendors Voted In Favour Of The Decision
According to the proposal, all the new SSL certificates would be valid for around one year and one month (397 days). Notably, all the exiting certificates have a lifespan of more than two years (825 days). The proposal was supported by a majority of browser makers.
However, the certificate authorities are against the decision. It is not the first time that such an idea has come under discussion. The SSL certificates were originally valid for around eight years. The increasing security threats forced the authorities to cut it to three and then two years after a major resistance.
The CA/B Forum rejected a similar proposal that was presented back in 2017. The idea was to reduce the life span to one year. The certificate authorities are of the opinion that it is unfair to change the lifetime of SSL certificates once again.
The Reduced Lifetime Offers Security Benefits
Although the CAs are against the idea, however, it brings tons of security benefits along with it. Needless to say, compliance rules change every month. The change would make it easier for companies to transition with the new rules.
There are many companies who protect their systems with the help of digital certificates. We can not deny the fact that the change would also result in additional costs for thousands of such companies. Most importantly, no major security enhancements are in the pipeline as a result of the reduced lifespan.
They still need to deal with all the malicious actors who are regularly planning phishing attacks. It is becoming harder and harder for them to protect their customers without any visible advantages. This war between browser vendors and certificate authorities isn’t something new. It’s just a matter of time to see if Google remains successful in its efforts.