A decision unilaterally made by Apple in February 2020 caused repercussions in the browser field and effectively forced the certification authority industry to accept the new default lifespan of TLS certificates of 398 days. Following Apple’s initial announcement, Mozilla and Google also expressed similar intentions to implement the same rules in their browsers.
Starting September 1, 2020, Apple, Google, and Mozilla browsers and devices will display errors for new TLS certificates that are valid for more than 398 days. This move is an important measure because it not only changes the way a core part of the Internet—TLS certificates work, but also because it breaks normal industry practices and cooperation between browsers and CA/B forums.
The CA/B Forum, which is an informal organization, consists of a certificate authority (CA), companies that issue TLS certificates to support HTTPS traffic, and browser manufacturers. Since 2005, this group has been developing rules for the issuance of TLS certificates and how browsers should manage and verify them. Browsers and CAs usually discuss the upcoming rules until they reach a consensus, and then they pass the rules and all members will execute them.
However, in its 15-year history, there is a topic that will attract people’s attention every time it is mentioned, that is, the lifespan of TLS certificates. The lifespan of TLS starts from 8 years. After years of development, browser manufacturers have cut it to the proper level, reducing it to 5 years, then 3 years, and then 2 years. The last change occurred in March 2018, when browser manufacturers tried to reduce the lifetime of SSL certificates from three years to one year, but compromised for two years under the active counterattack of CA.
But in almost one year, they reduced the lifespan of TLS from three years to two years, and browser manufacturers tried again, which disappointed CAs. At that time, they thought they had reached a compromise and resolved the matter. Too. As ZDNet reported last summer, browser vendors once again tried to reduce the lifespan of TLS certificates from two years to one year. In September 2019, the vote for this proposal called by Google failed. Although the proposal received 100% support from browser vendors, only 35% of CAs voted to approve a one-year TLS certificate lifetime.
But in February, Apple broke the standard operating procedures of the CA/B Forum. Apple did not ask for a vote, but simply announced its decision to implement a 398-day lifespan on its devices, regardless of the views of the CA/B forum CAs on this issue. Two weeks later, Mozilla also announced the same news. Earlier this month, Google followed up and announced similar news. What happened this year, to put it simply, is to show that browser vendors control the CA/B forum and they have full control of the HTTPS ecosystem, while CA is only a participant and has no real power.