Apple is planning to more than halve how long its Safari browser will trust TLS certificates, cutting the time to just 13 months, putting fresh pressure or organisations to get their certificate management practices in shape.
As of September 1, 2020, Apple is setting a hard trust limit of 398 days. (The current acceptable duration is 825 days). Certificates issued on or after that date with term beyond 398 days will be distrusted in Apple products.
In theory, shorter maximum validity periods for such certificates boost website security through more regular generation of new keys. The impact is likely to be considerable for end-users, given that Safari has an estimated browser market share of 17+ percent, second just to Google Chrome.
The company has not publicly confirmed the decision, announced unilaterally at the Certificate Authority/Browser Forum this week, but the move has been confirmed by CAs who have taken the opportunity to press businesses to move away from manual certificate management processes.
The move is the latest in a long-running clash between Certificate Authorities (CAs) and Browser vendors, with the latter favouring shorter periods and CAs saying customers fear business disruption as a result. Many observers expect Google to take a similar step with Chrome in the near future.
Apple’s move comes after a 2019 CA/Browser Forum ballot sought to make one year lifespans the norm. The bid failed, with 20 opposed to the motion, 18 in favor and two abstentions. CAs said 4,000 customer survey aggregate results from three CAs showed website owners opposed the change by 83 percent.
Arvid Vermote, CISO, GlobalSign, told Computer Business Review: “This decision comes on the heels of a lively debate among the browsers, CAs, and SSL users on where the operational vs. security spectrum maximum validity dates should follow. GlobalSign applauds the lean towards increased security given recent experiences that demonstrate the need for an agile response to any compromise to the CA ecosystem.
The company’s “products, APIs and related tools” are ready to adapt to the new requirement, in both compliance and operational overhead he added.
“Welcome to the new age of certificate agility!”
Tim Callan, a Senior Fellow at Sectigo added: “TLS certificate automation is greatly aided by the emergence of the ACME protocol (Automated Certificate Management Environment), which can fully automate key generation, domain control validation, certificate creation, and installation on the server.
He added: “The protocol is supported by more than 130 open source tools that work with the most popular operating systems, including Apache, IIS, NGINX, F5 BIG-IP, and Citrix NetScaler. For small business certificate users, new SSL subscription services make it possible to automate the delivery of one-year certificates over the course of up to five years, without having to go through a new certificate request process every time.”
“These innovations greatly reduce the burden on businesses of moving strictly to single-year certificates.”