[Servercert-wg] Ballot SC22: Reduce Certificate Lifetimes

Tim Hollebeek tim.hollebeek at digicert.com
Mon Aug 19 14:34:57 MST 2019

DigiCert initiated a customer survey to solicit feedback on the proposed ballot 
to shorten certificate lifetimes (response size = 545). The survey included some 
demographic questions followed by specific inquiries on certificate usage and 
effects the change would have on customers. The results are below. There were 
many comments that accompanied the survey and we are working to include those 
in a follow-up post. We present the numerical results here and are available to 
answer questions that may arise. 

In summary, an overwhelming number of customers are not in favor of shortening 
certificate lifetimes in the timeframes proposed. The comments show a strong 
opposition to this change . This is due to an abundant lack of automation in 
their internal systems. 

Survey Questions:

Screening Questions 
S1. In which country are you located? (Select one.) 

United States                              49%
Other                                      26%
Australia                                  8%
Canada                                     6%
United Kingdom                             7%
Germany                                    3%
Brazil                                     1%
France                                     1%
China                                      0%
Japan                                      1%

Other responses: Ireland, Switzerland, Denmark, Bulgaria, Portugal, Sweden, 
Taiwan, Romania, Norway, China, Indonesia, Israel, Poland, Luxembourg, Cayman 
Islands, Netherlands, Australia, Singapore, Mexico, Andorra, Iceland, Spain, 
Belgium, Denmark, Austria, Greece, Slovakia, New Zealand, Hong Kong, Thailand, 
Malaysia, UAE, Kuwait, Russia, Finland, Czech Republic, Peru, Korea, South 
Africa, India, Ukraine

S2. Using your best estimate, how many employees work for your 
firm/organization worldwide? 

1 to 99 employees                          41%
100 to 499 employees                       20%
500 to 999 employees                       7%
1,000 to 4,999 employees                   17%
5,000 to 19,999 employees                  6%
20,000 or more employees                   7%

S3. Which of the following best describes the industry to which your company 

Advertising or marketing                          1%
Agriculture, food, and beverage                   1%
Business or consumer services                     4%
Construction                                      1%
Consumer product manufacturing                    1%
Education and nonprofits                         11%
Electronics                                       3%
Energy, utilities, and waste management           3%
Financial services and insurance                 13%
Government                                        7%
Healthcare                                        4%
Legal services                                    2%
Manufacturing and materials                       3%
Media and leisure                                 1%
Other                                             7%
Retail                                            3%
Technology                                       26%
Telecommunications services                       4%
Transportation and logistics                      3%
Travel and hospitality                            1%

Other includes:  IT Outsourcing, Municipality, Wholesale, Training Book 
Publishing, Wholesale, IT consultants - many industries, Business services, 
ISP, Cable television, Professional Services, REIT, Health Care Finance, 
Private Individual, Automotive, Areospace [sic], IT Service provider, 
Wholesale, Personal use, Human Services, Human Services, Travel/Leisure, 
Multiple business domains, IT security, webhosting, IT Services, Managed 
Service Provider, Internet services

S4.	Which title best describes your position at your organization? 

C-level executive (e.g., CEO, CMO)                                               22% 
Director (manage a team of managers and high-level contributors)                 12%
Full-time practitioner (work within a team or as an individual contributor)      29%
Manager (manage a team of functional practitioners)                              23%
Other                                                                             6%
Outside consultant                                                                1%
Part-time practitioner (work within a team or as an individual contributor)       0%
Project manager (manage ad hoc project teams)                                     4%
Vice president (in charge of one/several large departments)                       2%

Other includes: Systen Consultant and IT Architect [sic], Engineer, Crypto 
officer, Network engineer, Private Individual, IT consultant, it engineer, 
System Administrator, Personal use, Network & Security Analyst, SysAdmin, 
IT security director, Senior Tech, customer support

S5.	Which of the following most closely describes your job function in IT? 

Applications development                         8%
CIO/Office of the CIO/CTO                       13%
Corporate management                             8%
Enterprise architect                             5%
Help desk or service agents                      0%
IT infrastructure and operations                46%
Line-of-business management                      1%
Networking/communications                        4%
Other                                            3%
PMO/project or program office                    1%
Security                                        11%

Other includes: Owner, IT Manager, ALL IT Functions, one person dept, We 
pretty much do all of it, Sales and Marketing Coordinator, Personal use, IT 
Department, IT Department, Everything, Security

Survey Questions

How often do you replace the majority of your TLS/SSL server certificates today?

About every 825 days (2 years and 3 months)                    16%
Every 2 years                                                  63%
Every year                                                      9%
Every 90 days                                                   0%
Don’t know                                                      2%
Other                                                          10%
(blank)                                                         0%

Other responses include: A mix of 1 and 2 year certs, 5 years, We frequently 
do the maximum., 60 days, 3 or more, 60 days, 3 months, 3 years, We have only 
done this once., varies, 3 year, 3 months, Some are replaced every 90 days, 
3 years, 3 years, As needed, Got a 3 year before the change, 90 days, 90 days, 
2 months, 3, Every 90 days, Automated renewal through AWS ACM

2.	Does your organization currently use automated certificate renewal 
and replacement methods (e.g., Venafi, ACME, DevOps orchestration) 

Mostly yes                               14%
Some, but mostly no                      13%
No                                       70%
(blank)                                   0%
Don’t Know                                3%

Other includes: No comments received…

3.	Do you favor or oppose the proposal to reduce the maximum validity 
period for SSL/TLS certificates from the current 825 days (27 months) to 
397 days (13 months)?  Why?

I favor reducing the maximum certificate validity period from 825 days to 397 days.    16%
I oppose reducing the maximum certificate validity period from 825 days to 397 days.   81%
Don’t know / no opinion                                                                 1%
Other                                                                                   2%

4.	What  would be the impact on your organization if the CA/Browser 
Forum approves a ballot reducing the maximum validity period for SSL/TLS 
server certificates from the current 825 days (27 months) at present to 
397 days (13 months), effective for new certificates issued on or after 
March 1, 2020? (Existing certificates will remain valid for their full term).

Answers to Question 4:
DigiCert team is working to pull together a summary of open ended responses. 
This is intentionally blank.

5.	Under the proposed ballot, an organization and its domains would 
have to be revalidated every year instead of every two years.  Do you 
believe the added security from revalidating this information every year 
is worth the cost of revalidating this information every year?

Yes                              17%
No                               78%
Don’t Know                        5%

6.	Do you have any other comments or additional information you would 
like us to present to the CA/Browser Forum on your behalf?  (You will not 
be identified in connection with your comments):

Answers to Question 6:
DigiCert team is working to pull together a summary of open ended responses. 
This is intentionally blank.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/servercert-wg/attachments/20190819/07120214/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4940 bytes
Desc: not available
URL: <http://cabforum.org/pipermail/servercert-wg/attachments/20190819/07120214/attachment-0001.p7s>

More information about the Servercert-wg mailing list