[Servercert-wg] Ballot SC22: Reduce Certificate Lifetimes
Tim Hollebeek
tim.hollebeek at digicert.com
Mon Aug 19 14:34:57 MST 2019
DigiCert initiated a customer survey to solicit feedback on the proposed ballot
to shorten certificate lifetimes (response size = 545). The survey included some
demographic questions followed by specific inquiries on certificate usage and
effects the change would have on customers. The results are below. There were
many comments that accompanied the survey and we are working to include those
in a follow-up post. We present the numerical results here and are available to
answer questions that may arise.
In summary, an overwhelming number of customers are not in favor of shortening
certificate lifetimes in the timeframes proposed. The comments show a strong
opposition to this change . This is due to an abundant lack of automation in
their internal systems.
Survey Questions:
Screening Questions
S1. In which country are you located? (Select one.)
United States 49%
Other 26%
Australia 8%
Canada 6%
United Kingdom 7%
Germany 3%
Brazil 1%
France 1%
China 0%
Japan 1%
Other responses: Ireland, Switzerland, Denmark, Bulgaria, Portugal, Sweden,
Taiwan, Romania, Norway, China, Indonesia, Israel, Poland, Luxembourg, Cayman
Islands, Netherlands, Australia, Singapore, Mexico, Andorra, Iceland, Spain,
Belgium, Denmark, Austria, Greece, Slovakia, New Zealand, Hong Kong, Thailand,
Malaysia, UAE, Kuwait, Russia, Finland, Czech Republic, Peru, Korea, South
Africa, India, Ukraine
S2. Using your best estimate, how many employees work for your
firm/organization worldwide?
1 to 99 employees 41%
100 to 499 employees 20%
500 to 999 employees 7%
1,000 to 4,999 employees 17%
5,000 to 19,999 employees 6%
20,000 or more employees 7%
S3. Which of the following best describes the industry to which your company
belongs?
Advertising or marketing 1%
Agriculture, food, and beverage 1%
Business or consumer services 4%
Construction 1%
Consumer product manufacturing 1%
Education and nonprofits 11%
Electronics 3%
Energy, utilities, and waste management 3%
Financial services and insurance 13%
Government 7%
Healthcare 4%
Legal services 2%
Manufacturing and materials 3%
Media and leisure 1%
Other 7%
Retail 3%
Technology 26%
Telecommunications services 4%
Transportation and logistics 3%
Travel and hospitality 1%
Other includes: IT Outsourcing, Municipality, Wholesale, Training Book
Publishing, Wholesale, IT consultants - many industries, Business services,
ISP, Cable television, Professional Services, REIT, Health Care Finance,
Private Individual, Automotive, Areospace [sic], IT Service provider,
Wholesale, Personal use, Human Services, Human Services, Travel/Leisure,
Multiple business domains, IT security, webhosting, IT Services, Managed
Service Provider, Internet services
S4. Which title best describes your position at your organization?
C-level executive (e.g., CEO, CMO) 22%
Director (manage a team of managers and high-level contributors) 12%
Full-time practitioner (work within a team or as an individual contributor) 29%
Manager (manage a team of functional practitioners) 23%
Other 6%
Outside consultant 1%
Part-time practitioner (work within a team or as an individual contributor) 0%
Project manager (manage ad hoc project teams) 4%
Vice president (in charge of one/several large departments) 2%
Other includes: Systen Consultant and IT Architect [sic], Engineer, Crypto
officer, Network engineer, Private Individual, IT consultant, it engineer,
System Administrator, Personal use, Network & Security Analyst, SysAdmin,
IT security director, Senior Tech, customer support
S5. Which of the following most closely describes your job function in IT?
Applications development 8%
CIO/Office of the CIO/CTO 13%
Corporate management 8%
Enterprise architect 5%
Help desk or service agents 0%
IT infrastructure and operations 46%
Line-of-business management 1%
Networking/communications 4%
Other 3%
PMO/project or program office 1%
Security 11%
Other includes: Owner, IT Manager, ALL IT Functions, one person dept, We
pretty much do all of it, Sales and Marketing Coordinator, Personal use, IT
Department, IT Department, Everything, Security
Survey Questions
How often do you replace the majority of your TLS/SSL server certificates today?
About every 825 days (2 years and 3 months) 16%
Every 2 years 63%
Every year 9%
Every 90 days 0%
Don’t know 2%
Other 10%
(blank) 0%
Other responses include: A mix of 1 and 2 year certs, 5 years, We frequently
do the maximum., 60 days, 3 or more, 60 days, 3 months, 3 years, We have only
done this once., varies, 3 year, 3 months, Some are replaced every 90 days,
3 years, 3 years, As needed, Got a 3 year before the change, 90 days, 90 days,
2 months, 3, Every 90 days, Automated renewal through AWS ACM
2. Does your organization currently use automated certificate renewal
and replacement methods (e.g., Venafi, ACME, DevOps orchestration)
Mostly yes 14%
Some, but mostly no 13%
No 70%
(blank) 0%
Don’t Know 3%
Other includes: No comments received…
3. Do you favor or oppose the proposal to reduce the maximum validity
period for SSL/TLS certificates from the current 825 days (27 months) to
397 days (13 months)? Why?
I favor reducing the maximum certificate validity period from 825 days to 397 days. 16%
I oppose reducing the maximum certificate validity period from 825 days to 397 days. 81%
Don’t know / no opinion 1%
Other 2%
4. What would be the impact on your organization if the CA/Browser
Forum approves a ballot reducing the maximum validity period for SSL/TLS
server certificates from the current 825 days (27 months) at present to
397 days (13 months), effective for new certificates issued on or after
March 1, 2020? (Existing certificates will remain valid for their full term).
Answers to Question 4:
DigiCert team is working to pull together a summary of open ended responses.
This is intentionally blank.
5. Under the proposed ballot, an organization and its domains would
have to be revalidated every year instead of every two years. Do you
believe the added security from revalidating this information every year
is worth the cost of revalidating this information every year?
Yes 17%
No 78%
Don’t Know 5%
6. Do you have any other comments or additional information you would
like us to present to the CA/Browser Forum on your behalf? (You will not
be identified in connection with your comments):
Answers to Question 6:
DigiCert team is working to pull together a summary of open ended responses.
This is intentionally blank.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/servercert-wg/attachments/20190819/07120214/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4940 bytes
Desc: not available
URL: <http://cabforum.org/pipermail/servercert-wg/attachments/20190819/07120214/attachment-0001.p7s>
More information about the Servercert-wg
mailing list