
Safari Will Stop Accepting HTTPS Certificates That Last Longer Than 13 Months - bookofjoe
https://www.macobserver.com/news/safari-https-certificates-13-months/
======
tialaramex
Google's Ryan Sleevi has also pushed for this previously. Back in 2017 when
the CAs were reluctant to go below 39 months (the rule prior to 825 days)
Sleevi's position was that if nothing less than 39 months could get agreed
Chrome would just clamp certificate lifetimes to 90 days.

It's interesting that this came from Apple though, and seemingly (from memory
and a brief review of the list archives) without much prior discussion. The
CA/B Forum is an inherently asymmetrical body, its rules recognise this, and
there is always the threat that the relationship it embodies could break down
or cease to be relevant.

~~~
deadmutex
Here is an article talking about Ryan Sleevi's efforts:
[https://www.zdnet.com/article/google-wants-to-reduce-
lifespa...](https://www.zdnet.com/article/google-wants-to-reduce-lifespan-for-
https-certificates-to-one-year/).

------
judge2020
non-blog:
[https://www.theregister.co.uk/2020/02/20/apple_shorter_cert_...](https://www.theregister.co.uk/2020/02/20/apple_shorter_cert_lifetime/)

~~~
nailer
(more to the point, this is the actual source article)

------
arm64future
What is wrong with 3 year certificates? Genuine question.

~~~
RijilV
A certificate is a secret. The longer you have a secret the more likely it is
to be learned by others. Expiry is about risk mitigation, the shorter the
expiry the smaller the risk.

Here risk is exposure of the key or the certificate being compromised. If it
takes X time to break a certificate then an attacker will know your secret for
expiry - X. We’re being hopeful that 13 months is unattractive to attackers
given the current values of X even at the nation state level, and with
cryptography we always have to look into the future not what’s capable today.
There’s also a “herd immunity” thing going on if we all have shorter expiry as
there are no easier targets and the attacker has to become much more focused.

IMHO there’s also benefits in rotation your cert more often. If you do it once
every three years it’s more likely the folks who did it last time aren’t with
your company or just plane forgot what they did. I think 13 months is still
too long, I’d prefer every quarter because it forces the investment is a
control system to facilitate rather than half-automated manual tasks. But
that’s not what this proposal from Apple ios about.

~~~
codeplea
Couldn't one also argue that more frequent renewal exposes a larger attack
surface?

