As the major browser makers and certificate authorities mull over a proposal to significantly reduce the lifespan of TLS certificates, Mozilla is planning to complement the change in the coming months, regardless of the outcome of a vote on the issue by a key industry group.
The CA/Browser Forum, which sets policies for certificate authorities and browser makers, has been considering the change for some time and the proposal has significant support among the browser vendors. In September 2019 the group voted on an earlier version of the proposal, which failed, although all of the certificate consumers voted in favor of it, including Apple, Cisco, Microsoft, Google, and Mozilla. An updated version of the proposal that would reduce the lifespan of TLS certificates to a maximum of 398 days is active now.
Currently, the policy allows for a maximum lifespan of 825 days, or about 27 months. A lot can change in that amount of time, and that’s one of the main reasons that Mozilla and other companies are supporting the change. TLS certificates serve several purposes, including the enablement of encrypted sessions between clients and the site, as well as proving that the site is what it says it is.
“TLS certificates provide authentication, meaning that you can be sure that you are sending information to the correct server and not to an imposter trying to steal your information. If the owner of the domain changes or the cloud service provider changes, the holder of the TLS certificate’s private key (e.g. the previous owner of the domain or the previous cloud service provider) can impersonate the website until that TLS certificate expires,” Ben Wilson, technical program manager ..
Support the originator by clicking the read the rest link below.
