Clint Wilson, the engineer overseeing Apple’s Root Certification Authority project, has proposed a change in the criteria within the CA/Browser Forum. He suggests reducing the validity period of encrypted certificates from the current maximum of 397 days to just 45 days, effectively forcing the transition to automatic certificate renewal.
If this proposal is approved, the certificate validity period will gradually decrease, starting from September 15, 2025, down to 200 days, then further decreasing to 100 days on September 15, 2026, ultimately stopping at 25 days on April 15, 2027.
This proposal not only adjusts the certificate validity period but also reduces the duration for confirming the certificate holder’s identity. The initial identity confirmation data will only be valid for one year, with subsequent confirmations decreasing incrementally until reaching just 10 days. However, this process may not impact general users significantly.
Following the release of this proposal, there have been numerous objections raised. The proposal received 61 thumbs up and 12 hearts but also garnered 79 thumbs down. Disagreements primarily revolve around the IT system challenges faced by organizations with a large number of devices that cannot be automatically updated with new certificates. Implementing these time adjustments could significantly complicate operations.
The SC-081 project proposal will be presented at the CA/Browser Forum meeting, with the latest round of voting concluding at SC-079 on October 14. Typically, each voting round lasts two weeks, indicating that we may anticipate a vote on SC-081 within this November.
Source: SC-081
TLDR: Clint Wilson proposes reducing certificate validity periods in the CA/Browser Forum, facing objections due to IT system challenges. The SC-081 project awaits a vote in November.
Leave a Comment