[dextercd]

CAs and certificate consumers (browsers) voted in favour of this change. They didn't do this because they're incompetent but because they think it'll improve security.

It's really not that hard to automate renewals and monitor a system's certificate status from a different system, just in case the automation breaks and for things that require manual renewal steps.

I get that it's harder in large organisations and that not everything can be automated yet, but you still have a year before the certificate lifetime goes down to 200 days, which IMO is pretty conservative.

With a known timeline like this, customers/employees have ammunition to push their vendors/employers to invest into automation and monitoring.

[ocdtrekkie]

It's actually far worse for smaller sites and organizations than large ones. Entire pricey platforms exist around managing certificates and renewals, and large companies can afford those or develop their own automated solutions.

None of the platforms which I deal with will likely magically support automated renewal in the next year. I will likely spend most of the next year reducing our exposure to PKI.

Smaller organizations dependent on off the shelf software will be killed by this. They'll probably be forced to move things to the waiting arms of the Big Tech cloud providers that voted for this. (Shocker.) And it probably won't help stop the bleeding.

And again, there's no real world security benefit. Nobody in the CA/B has ever discussed real world examples of threats this solves. Just increasingly niche theoretical ones. In a zero cost situation, improving theoretical security is good, but in a situation like this where the cost is real fragility to the Internet ecosystem, decisions like this need to be justified.

Unfortunately the CA/B is essentially unchecked power, no individual corporate member is going to fire their representatives for this, much less is there a way to remove everyone that made this incredibly harmful decision.

This is a group of people who have hammers and think everything is a nail, and unfortunately, that includes a lot of ceramic and glass.

[dextercd]

I think most orgs can get away with free ACME clients and free/cheap monitoring options.

This will be painful for people in the short term, but in the long term I believe it will make things more automated, more secure, and less fragile.

Browsers are the ones pushing for this change. They wouldn't do it if they thought it would cause people to see more expired certificate warnings.

> Unfortunately the CA/B is essentially unchecked power, no individual corporate member is going to fire their representatives for this, much less is there a way to remove everyone that made this incredibly harmful decision.

Representatives are not voting against the wishes/instructions of their employer.

[ocdtrekkie]

I mean to give you an example of how far we are from this: IIS does not have built-in ACME support, and in the enterprise world it is basically "most web servers". Sure, you can add some third party thing off the Internet to do it, but... how many banks will trust that?

Unfortunately the problem is likely too removed from understanding for employers to care. Google and Microsoft do not realize how damaging the CA/B is, and probably take the word of their CA/B representatives that the choices that they are making are necessary and good.

I doubt Satya Nadella even knows what the CA/B is, much less that he pays an employee full-time to directly #### over his entire customer base and that this employee has nearly god-level control over the Internet. I have yet to see an announcement from the CA/B that represented a competent decision that reflected the reality of the security industry and business needs, and yet... nobody can get in trouble for it!

[dextercd]

Let's Encrypt lists 10 ACME clients for Windows / IIS.

If an organisation ignores all those options, then I suppose they should keep doing it manually. But at the end of the day, that is a choice.

Maybe they'll reconsider now that the lifetime is going down or implement their own client if they're that scared of third party code.

Yeah, this will inconvenience some of the CA/B participant's customers. They knew that. It'll also make them and everyone else more secure. And that's what won out.

The idea that this change got voted in due to incompetence, malice, or lack of oversight from the companies represented on the CA/B forum is ridiculous to me.

[ocdtrekkie]

> Let's Encrypt lists 10 ACME clients for Windows / IIS.

How many of those are first-party/vetted by Microsoft? I'm not sure you understand how enterprises or secure environments work, we can't just download whatever app someone found on the Internet that solves the issue.

[dextercd]

No idea how many are first-party or vetted by Microsoft. Probably none of them. But I really, really doubt you can only run software that ticks one of those two boxes.

Certify The Web has a 'Microsoft Partner' badge. If that's something your org values, then they seem worth looking into for IIS.

I can find documentation online from Microsoft where they use YARP w/ LettuceEncrypt, Caddy, and cert-manager. Clearly Microsoft is not afraid to tell customers about how to use third party solutions.

Yes, these are not fully endorsed by Microsoft, so it's much harder to get approval for. If an organisation really makes it impossible, then they deserve the consequences of that. They're going to have problems with 397 day certificates as well. That shouldn't hold the rest of the industry back. We'd still be on 5 year certs by that logic.

[JackSlateur]

I hope you understand how funny this is

The ballot is nothing but expected

The whole industry has been moving in this direction for the last decade

So there is nothing much to say

Except that if you waited the last moment, well you will have to be in a hurry. (non)Actions have consequences :)

I'm glad by this decision because that'll hammer a bit down those resisting, those who but a human do perform yearly renewal. Let's how stupid it can get.

[xyzzy123]

Can you point to a specific security problem this change is actually solving? For example, can we attribute any major security compromises in the last 5 years to TLS certificate lifetime?

Are the security benefits really worth making anything with a valid TLS certificate stop working if it is air-gapped or offline for 48 days?

> CAs and certificate consumers (browsers) voted in favour of this change. They didn't do this because they're incompetent but because they think it'll improve security.

They're not incompetent and they're not "evil", and this change does improve some things. But the companies behind the top level CA ecosystem have their own interests which might not always align with those of end users.

[dextercd]

If a CA or subscriber improves their security but had an undetected incident in the past, a hacker today has a 397 day cert and can reuse the domain control validation in the next 397 days, meaning they can MITM traffic for effectively 794 days.

CAs have now implemented MPIC. This may have thwarted some attacks, but those attackers still have valid certificates today and can request a new certificate without any domain control validation being performed in over a year.

BGP hijackings have been uncovered in the last 5 years and MPIC does make this more difficult. https://en.wikipedia.org/wiki/BGP_hijacking

New security standards should come into effect much faster. For fixes against attacks we know about today and new ones that are discovered and mitigated in the future.

[xyzzy123]

People who care deeply about this can use 30 day certs right now if they want to.

[dextercd]

Sure, but it's even better if everyone else does too, including attackers that mislead CAs into misissuing a cert.

CAs used to be able to use WHOIS for DCV. The fact that this option was taken away from everyone is good. It's the same with this change, and you have plenty of time to prepare for it.

[xyzzy123]

> including attackers that mislead CAs into misissuing a cert.

I thought we had CT for this.

> CAs used to be able to use WHOIS for DCV. The fact that this option was taken away from everyone is good.

Fair.

> It's the same with this change, and you have plenty of time to prepare for it.

Not so sure on this one, I think it's basically a result of a security "purity spiral". Yes, it will achieve better certificate hygiene, but it will also create a lot of security busywork that could be better spent in other parts of the ecosystem that have much worse problems. The decision to make something opt-in mandatory forcibly allocates other people's labour.

[dextercd]

CT definitely helps, but not everyone monitors it. This is an area where I still need to improve. But even if you detect a misissued cert, it can not reliably be revoked with OCSP/CRL.

--

The maximum cert lifetime will gradually go down. The CA/B forum could adjust the timeline if big challenges are uncovered.

I doubt they expect this to be necessary. I suspect that companies will discover that automation is already possible for their systems and that new solutions will be developed for most remaining gaps, in part because of this announced timeline.

This will save people time in the long run. It is forced upon you, and that's frustrating, but you do have nearly a year before the first change. It's not going down to 47 days in one go.

I'm not saying that no one will renew certificates manually every month. I do think it'll be rare, and even more rare for there to be a technical reason for it.

[sidewndr46]

According to the article:

"The goal is to minimize risks from outdated certificate data, deprecated cryptographic algorithms, and prolonged exposure to compromised credentials. It also encourages companies and developers to utilize automation to renew and rotate TLS certificates, making it less likely that sites will be running on expired certificates."

I'm not even sure what "outdated certificate data" could be. The browser by default won't negotiate a connection with an expired certificate

[xyzzy123]

> I'm not even sure what "outdated certificate data" could be...

Agree.

> According to the article:

Thanks, I did read that, it's not quite what I meant though. Suppose a security engineer at your company proposes that users should change their passwords every 49 days to "minimise prolonged exposure from compromised credentials" and encourage the uptake of password managers and passkeys.

How to respond to that? It seems a noble endeavour. To prioritise, you would want to know (at least):

a) What are the benefits - not mom & apple pie and the virtues of purity but as brass tacks - e.g: how many account compromises do you believe would be prevented by this change and what is the annual cost of those? How is that trending?

b) What are the cons? What's going to be the impact of this change on our customers? How will this affect our support costs? User retention?

I think I would have a harder time trying to justify the cert lifetime proposal than the "ridiculously frequent password changes" proposal. Sure, it's more hygenic but I can't easily point to any major compromises in the past 5 years that would have been prevented by shorter certificate lifetimes. Whereas I could at least handwave in the direction of users who got "password stuffed" to justify ridiculously frequent password changes.

The analogy breaks down in a bad way when it comes to evaluating the cons. The groups proposing to decrease cert lifetimes bear nearly none of the costs of the proposal, for them it is externalised. They also have little to no interest in use cases that don't involve "big cloud" because those don't make them any money.

[dextercd]

"outdated certificate data" would be domains you no longer control. (Example would be a customer no longer points a DNS record at some service provider or domains that have changed ownership).

In the case of OV/EV certificates, it could also include the organisation's legal name, country/locality, registration number, etc.

Forcing people to change passwords increases the likelihood that they pick simpler, algorithmic password so they can remember them more easily, reducing security. That's not an issue with certificates/private keys.

Shorter lifetimes on certs is a net benefit. 47 days seems like a reasonable balance between not having bad certs stick around for too long and having enough time to fix issues when you detect that automatic renewal fails.

The fact that it encourages people to prioritise implementing automated renewals is also a good thing, but I understand that it's frustrating for those with bad software/hardware vendors.

[hackcoughgasp]

>>"outdated certificate data" would be domains you no longer control.

Or certificates which were revoked

[bsder]

> They didn't do this because they're incompetent but because they think it'll improve security.

No, they did it because it reduces their legal exposure. Nothing more, nothing less.

The goal is to reduce the rotation time low enough that the certificates will rotate before legal procedures to stop them from rotating them can kick in.

This does very little to improve security.

[dextercd]

Apple introduced this proposal. Why would they care about a CA's legal exposure?

Lower the lifetime of certs does mean that orgs will be better prepared to replace bad certs when they occur. That's a good thing.

More organisations will now take the time to configure ACME clients instead of trying to convince CA's that they're too special to have their certs revoked, or even start embarrassing court cases, which has only happened once as far as I know.

Theories that involve CAs, Google, Microsoft, Apple, and Mozilla having ulterior motives and not considering potential downsides of this change are silly.

[nickf]

That isn’t at all true.