CA/Browser Forum wants to reduce the lifespan of SSL certificates to 13 months

The CA/Browser Forum wants to shorten the maximum lifespan of SSL certificates to just over a year. The alliance of browser makers and certificate authorities is positive about a proposal to reduce the lifespan from 27 to 13 months.

The Forum will discuss the matter shortly. The proposal comes from Ryan Sleevi, a developer at Google who has long advocated shortening the certificate lifetime. At a meeting of the Forum, he proposes that the changes be implemented as of 1 March 2020. An ssl certificate should not be valid for 825 days as it is now, but only a maximum of 397 days. There is currently no vote on the subject. However, most browser makers seem to be positive about the new plans.

According to the Forum, a certificate that has to be renewed more often would be safer. Criminals with phishing websites, for example, would have more difficulty keeping them up and running for longer. It is not the first time that there has been a drastic shortening of the lifespan of SSL certificates. In 2017, the CA/Browser Forum already wanted to reduce it from 39 months to 13 months, but that proposal turned out to be a bit too radical. Ultimately, it was decided to have a lifespan of 27 months. Now it goes back to 13. The fact that the free certificates of Let’s Encrypt already expire after ninety days by default and that more and more companies are switching to that model is also a factor in the discussion.

Not everyone agrees with the proposed changes. The certificate industry in particular does not like the plan. For example, the company Digicert states that shortening the certificate duration entails higher costs for companies. In that case, they have to do innovations much more often and that takes a lot of time. That time and cost would not outweigh the extra security that a shorter certificate duration provides, the company says. According to Digicert, criminal websites usually do not exist long enough for the change to be relevant.