The CA/Browser Forum approved new guidelines to shorten the maximum lifespan of SSL/TLS certificates in a phased approach, starting from 200 days in 2026 to 47 days by March 15, 2029. This change, backed by major industry leaders, aims to improve internet security by reducing risks associated with long-lived certificates. The valid period for domain validation will also decrease significantly, increasing the need for frequent revalidations. Despite the intended security benefits, some experts express skepticism regarding the feasibility and empirical support for such changes.
"Do...uh, we have hard data to show this is a good idea? I get the intent, for sure. Cert revocation checks just don't work very well, and automated tools can help you renew your certificates automagically. It's a pity that in practice, companies will have legacy systems and appliances where they can't easily automate"
"The rationale behind this change is to enhance security by limiting the window during which a compromised certificate can be exploited. Shorter lifespans reduce reliance on certificate revocation mechanisms," said one industry expert.
Collection
[
|
...
]