Google has proposed reducing the maximum validity period of digital certificates for web servers to 90 days, a significant reduction from the current 398-day maximum set by baseline requirements of the CA/Browser Forum. In a blog post on the Chromium Project, Google cited the need to move towards fully automated certificate issuance as well as the inadequacy of mechanisms for blocking certificates as reasons for the proposal.
In addition to shorter certificate maturities, Google is also proposing other changes in the certification authority (CA) ecosystem, including having CAs concentrate solely on issuing TLS server certificates instead of also issuing certificates for digitally signing software. The company argues that this would make CAs less attractive to attackers like malware gangs.
Google is also pushing for the ACME protocol, which was introduced by Let’s Encrypt, to become a mandatory program for CAs. According to the blog article, this would make the entire ecosystem more agile and resilient.
Commercial Certificate Authorities may not be pleased with Google’s proposed changes as it eliminates the last remaining reason to have a certificate issued by them. However, with Google’s Chrome browser having a market share of over 65%, and many other browsers such as Edge, Samsung Internet and Opera being based on the Chromium project, Google’s voice in the CA/Browser Forum is important and other manufacturers may support the initiative.
