[Servercert-wg] Ballot SC22: Reduce Certificate Lifetimes

Dimitris Zacharopoulos (HARICA) dzacharo at harica.gr
Tue Aug 27 00:18:35 MST 2019

On 26/8/2019 4:20 μ.μ., Ryan Sleevi wrote:
> On Mon, Aug 26, 2019 at 12:35 AM Dimitris Zacharopoulos (HARICA) via 
> Servercert-wg <servercert-wg at cabforum.org 
> <mailto:servercert-wg at cabforum.org>> wrote:
>     HARICA does not agree with further reducing the lifetime of TLS
>     Certificates as it creates unnecessary burden to site operators.
>     If the main problem we are trying to solve is Domain Validation
>     and the fact that some domains are "changing owners", thus putting
>     at risk the new Domain owners as BygoneSSL demonstrated, we should
>     look for alternatives rather than having millions of site
>     operators replace millions of Certificates at a shorter timeframe.
> This is not the "main goal".
> During earlier drafting, it was suggested by some members to provide a 
> list of the numerous benefits. This list is at 
> https://cabforum.org/pipermail/servercert-wg/2019-August/000894.html , 
> which includes many suggestions from Apple previously, at 
> https://cabforum.org/pipermail/validation/2019-August/001296.html

Apologies for the long reply, but I had to include the previous 
references for completeness.

Benefits of reduced lifetime:

  *    Issues that result from the misinterpretation or misapplication
    of the Baseline Requirements are able to be more promptly resolved.
    Despite the best efforts of Browsers to ensure unambiguous
    requirements, there continue to be issues with CAs and their
    understanding and successful implementation of existing
    requirements. At present, due to the fact that validations may be
    reused for up to 825 days, and when they are reused, may be used to
    issue certificates valid for another 825 days, it may take up to
    four and a half years before issues are resolved. This proposal
    would halve that time, to a little more than two years, and
    represents a significant improvement.

Re-validating Domain Names seems to solve this problem, so this goal is 

  *    Even when the Baseline Requirements are clear and unambiguous,
    implementation issues by CAs routinely introduces risks of
    improperly formed or validated certificates, allowing CAs to issue
    certificates which have never been permitted and should never have
    been issued. Reducing certificate lifetimes reduces the overall risk
    that the ecosystem is exposed to these improperly formed
    certificates, both in terms of usage and in the need for Relying
    Parties to support such certificates.

Such a risk will always be there, I don't see how it can be reduced by 
shortening the lifetime of Certificates. Even if a Certificate is issued 
for 1 month, it could create the necessary "damage". The BRs already 
have rules for such cases, which is revocation within 5 days. We saw 
that clearly in the serialNumber entropy case. For improperly validated 
certificates, again the re-validation process would be executed within 
12 months with the updated validation methods, so this goal is achieved 
as well.

  *    CRLs and OCSP have long been shown to be non-viable at
    Internet-scale, in terms of how they externalize costs like privacy,
    performance, and stability to Subscribers and Relying Parties. While
    alternative, browser-specific methods also exist, they also allow
    CAs to externalize the cost of their practices onto users and
    browsers, growing as the number of unexpired certificates grow. 
    Reducing certificate lifetimes meaningfully protects users,
    regardless of the revocation method used, and helps reduce the
    overall costs paid by users.

You claim that checking for the status of a Certificate is externalized 
to Relying Parties (users and browsers). Yes, this is how X.509 was 
designed. It's not a perfect technology and some solutions might suffer 
from privacy, performance and stability. I also don't see how reducing 
certificate lifetimes helps reduce the overall costs paid by users. 
Users will continue to check for the status of every certificate 
presented to them, these are the rules. If a browser decides not to 
check for the status of a certificate for performance, or other, 
reasons, then this browser adds a more significant risk to the user. 
This browser would reduce the cost (privacy, performance, stability) but 
would open a risk window for exposing the user to a 
malformed/unvalidated/fraudulent/incompatible Certificate.

  *    Operationally, the current extensive certificate lifetime has
    repeatedly led to issues, in that Subscribers frequently forget how
    or when to replace certificates. Aligning on an annual basis helps
    ensure and streamline continuity of operations, reducing the number
    of errors users see and disruptions that sites face.

Replacing certificates more frequently, opens the (greater than zero) 
risk of mis-configuration. We are not discussing about meaningful 
security improvements like configuring a web server to support TLS 
1.2/1.3 and removing 1.0/1.1. We are discussing about a Certificate 
replacement that provides "zero" security benefit to Relying Parties. 
They won't even detect this change. According to HARICA's experience, 
site operators tend to align Certificate replacement in certain weeks 
and this can be achieved even with 2-year Certificates. They usually 
receive expiration warnings ahead of time to remind them that 
Certificates are about to expire. I don't see a significant improvement 
here by reducing the certificate lifetime to 13 months.

  *    Operationally, the prolonged reuse of validation information
    creates challenges in replacing certificates due to security risks
    identified with the existing validation methods permitted by the
    Baseline Requirements. Reducing this validity period similarly helps
    streamline the validation process, allowing site operators to ensure
    for relying parties that the certificates they use were meaningfully

This kind of repeats the second bullet and I believe is the most 
important argument driving this ballot, which is precisely the reason 
HARICA focused on this one and called it the "main goal". Re-validating 
Domains is critical and the ecosystem can greatly benefit from such a 
requirement. This doesn't mean that the associated Certificate(s) need 
to be replaced creating all the extra headaches for site operators with 
"exotic" equipment.

  *    As shown by issues such as BygoneSSL, the misalignment between
    certificate lifetime and the domain name system poses availability
    and security risks to site operators. Despite such research being
    presented directly to the CA/Browser Forum, there have been no
    efforts by CAs, as an industry, to mitigate the risks posed to
    users. Certificate lifetimes currently represent the greatest
    mitigation to these risks.

Requiring annual re-validation of Domain Names seems to achieve this 
goal as well.

  *    Existing certificate validity periods create risk for Relying
    Parties wishing to enforce the Baseline Requirements or Root Program
    requirements, by allowing CAs to “backdate” certificates in order to
    attempt to bypass date-based program requirements. Reducing
    certificate lifetimes reduces the window of exposure to such
    bypasses. As this has happened multiple times, by past and present
    members of the CA/Browser Forum, reducing certificate lifetimes
    represents the safest way to detect and counter this risk.

CT logging seems far better mitigation to counter this risk. All CAs 
that are trusted by at least Apple and Chrome need to log their 
Certificates anyway, I am not aware of any CA/B Forum CA Member that 
doesn't log TLS Certificates. In any case, what you describe here is 
strictly prohibited at least by the Mozilla Root Program 
Reducing the certificate lifetime provides no protection for a malicious 
CA that will issue a certificate in the past to bypass new requirements. 
However, re-validating the Domain Names with the latest validation rules 
should leave an auditable trail.

  * Security:
      o Long lived certs present a longer lived threat. We have seen
        this presented in the BygoneSSL report/brief. We would like to
        work towards having the domain validation validity align with
        the certificate validity.

Apple is also more concerned about Domain Validation and rightfully so. 
This is what BygoneSSL presented. Performing Domain Validation more 
frequently is a solution to this problem.

      o Since most software fails open when performing revocation
        checks, the best safeguard is the validity period of the

I believe this has already been addressed. For the benefit of software 
that actually does what the underlying technology requires them to do, 
which is revocation checking, we should not abandon revocation as a 
tool. It is already in the requirements and has caused significant pain 
to CAs to support it, as I'm sure most of this group is aware of.

  * Operational:
      o Teams with high turnover are better able to ensure continuity.
      o Teams align other annual requirements with certificate issuance
        so that manual issuances aren’t forgotten.
      o Encourages adoption of automation that reduces opportunity for
        human error and reduces operational cost overall.

If only automation was that simple for every TLS server that wants to be 
publicly accessible... HARICA is probably one of the smallest CAs in the 
Forum yet we have encountered a great number of appliances/equipment 
that provide a very basic administrative interface. We are assisting 
site operators to install certificates in these devices and even have a 
hard time installing the Certificate Chain (for some cases where the 
hierarchy is more than 2 levels). These devices have no way of 
automating certificate installation. I don't know the percentage of 
these devices worldwide but I'm sure larger CAs have similar or better 
experience to share with us. We propose site operators to use web 
proxies but some of them have no experience how to properly maintain one.

If we consider the time to manually replace a certificate in such 
devices to 30', then the 6% of the total number of Certificates is a 
significant human effort for zero benefit to Relying Parties and very 
low benefit for Domain owners.

>     Certificates are used in far more systems than I could possibly
>     list. Routers, modems, cameras, scientific equipment, proxys, are
>     just to name a few that have zero (or close to zero) support for
>     automation in certificate renewal.
> Annual certificates do not require the use of automation. Certificates 
> with lifespans of <= 13 months, as this ballot proposes, make up 94% 
> of the existing valid certificate market.

I don't doubt the numbers but for sure LE's 90-day Certificate lifetime 
should significantly influence this number.

>     We could try to disconnect the Domain Validation part from the
>     Certificate Installation part. The Domain Validation part is
>     usually done via alternative channels and are easier for site
>     operators to handle. Perhaps we have discussed this before but we
>     could add rules in the BRs to re-validate Domain Names more
>     frequently, like every 12 months. If the Domain is not
>     re-validated within 13 months, the Certificate MUST be revoked
>     (leaving 1 month "grace period" for reminders to be sent to the
>     Domain owner).
> You are correct that we did not explore it, because as noted in the 
> ballot, revocation does not work for the Web, especially with respect 
> to privacy. Any solution that relies on revocation is thus 
> unacceptably broken.

A reasonable continuation of this though would be "let's get rid of 
revocation requirements", yet we are pushing for revocation whenever 
something as the serialNumber entropy issue (63 bits instead of 64 bits 
of entropy source) occurs. This seems to be inconsistent. Revocation is 
not unacceptably broken as demonstrated by at least some Certificate 
Consumers that effectively use revocation mechanisms. Perhaps the 
revocation check is not instant but in a short amount of time 
(hours/days, not months as the lifetime of the Certificate protects), a 
revoked Certificate is not trusted by these Certificate Consumers.

>     The fact that revocation doesn't work for some browsers is not
>     (IMHO) an excuse for requiring millions of site operators to
>     replace certificates in these "admin unfriendly"environments,
>     every year, just to check if the site is still owned by the same
>     individual/organization.
> Thank you for sharing. Considering the hundreds of millions of sites 
> which are exposed to harm, danger, and CA misissuance as a result of 
> the long-lived lifetimes, and for which as Subscribers, they have no 
> effective recourse, Google's position is that we put the user first. 
> In this case, this means that the minority of sites and users - 
> approximately 6% - may have to encounter annual replacement. However, 
> the industry has shown that this does not require automation to do, as 
> this is both the default for a number of CAs, and long wide-spread 
> before the rise of automated mechanisms like RFC 8555. Automation 
> simply improves things.

Perhaps I wasn't clear enough when I mentioned about "admin unfriendly" 
environments. These are devices and equipment that are manufactured with 
a specific firmware. All vendors would have to create new firmware to 
support implementations like RFC 8555. We are already seeing this make 
progress in newer equipment but it's slow.

>     As Christian supported, in case of emergency (like an algorithm
>     failure or a CA failure/misussuance), as demonstrated in the
>     recent serialNumber entropy issue, CAs and site operators can be
>     pushed to replace certificates sooner. Site operators understand
>     and respect the fact that there is an emergency or an anomaly, and
>     can re-allocate resources accordingly to deal with an *unexpected*
>     need for certificate replacement. Requiring the installation of
>     new certificates every year is not an "emergency" task and will
>     not be easy to justify and for site operators to accept.
> CAs that still think of certificate replacement as an "emergency" task 
> are doing their users and customers a significant disservice and harm. 
> Another objective, as noted, is to reinforce that this is not and 
> cannot be the case.

CAs that follow the rules, explain to their Subscribers that in case of 
violation of the CP/CPS or the revocation reasons listed in and of the BRs, the Subscriber Certificate would have to be replaced 
within 5 days (and in some cases within 24 hours). Other than that, the 
Certificate is good for as long as it is valid for. I don't see anything 
wrong here. Asking Subscribers to replace certificates "just for the 
sake of it", seems unnecessary and disrespectful for their time and effort.

> Luckily, some CAs have recognized this, and in light of 
> misissuance events have already taken steps - before this ballot was 
> circulated or proposed - to reduce the lifetime of the certificates 
> they issue to an annual basis. I can think of one CA, which primarily 
> targets government and enterprise users, which recognized the 
> challenges they and their customers had with timely replacement of 
> certificates, and saw a reduction in lifetime as the most significant 
> mitigation they could put in place.

HARICA has been issuing publicly-trusted certificates since 2011. We 
have always kept a maximum lifetime of 2 years because that was a 
reasonable balance between site operator effort to replace certificate 
and the duration of most of the Domain registrations we had seen. The 
majority of Domains (at least the ones that we encountered) were 
registered for 2 years. However, I would be curious to see more citation 
and experience for government and enterprise users that described how 
the CA and these Subscribers approached this challenge and reached such 
a conclusion (that the reduction of lifetime was the most significant 
mitigation they could put in place).

> It is understandable for CAs, given their direct dealings with 
> customers, to put their customers and business interests first, over 
> the safety and security of the ecosystem and users. It can be 
> difficult to articulate to them and their customers that the Web PKI 
> is only as secure as its weakest link, and that they are directly 
> harming many countless tens of millions of users and certificate 
> holders that wish to have improved security. Similarly, it can be 
> difficult to explain to these customers the importance of routine and 
> regular certificate maintenance, as part of any cohesive 
> infrastructure readiness or disaster preparedness scenario, as they 
> may be relying on antiquated notions that certificate replacement is 
> difficult. That's why it's incumbent upon us, the CA/Browser Forum, 
> and in particular, the Browser Root Store operators who are tasked 
> with ensuring the CAs in their program are trustworthy and the 
> certificates issued by these CAs meaningfully secure users' 
> connections, to lead and ensure that the minimum bar of security is 
> adequate.

This is probably the hardest to answer. Some CAs have demonstrated that 
the wider ecosystem good is above the benefit of the CA and its 
customers. They have done that by following the rules to the point, even 
if this created difficulties in customer relations due to a revocation 
requirement. If you consider that all Subscribers "out there" should be 
ready for a disaster scenario, this is probably the strongest argument 
to support reducing certificate lifetime to 13-months and even lower 
than that. Unless Google knows something the rest of the ecosystem 
doesn't know, I would kindly ask you to elaborate on what a disaster 
scenario looks like. Would the Quantum Computing scenario fit the 
description? A SHA2 deprecation? I think keeping the same algorithms for 
CA Certificates that are good for 10, 15 or 20 years makes reducing the 
lifetime of end-entity certificates a moot point. I am only saying this 
because the Forum has taken careful considerations to support secure 
algorithms, secure standards that have been tested thoroughly by the 
engineering and academic community. If there is a risk that the 
standards currently used or referenced in the BRs have a high likelihood 
to be broken, we must certainly focus on that. The SHA1 deprecation gave 
the CAs and the browsers a lot of useful experience so that we don't 
repeat previous mistakes. In case of a SHA2 deprecation the CAs and 
browsers should follow a significantly faster timeline.

> I'm shocked and dismayed to see CAs advocating against any lifetime 
> reduction, as it suggests outdated or incomplete understanding of the 
> core business they're in. While I'm sympathetic to discussions about 
> when best to make these changes, and have tried earnestly to highlight 
> repeatedly why it requires no substantive process changes for any 
> individual Subscribers before 2021, I would have hoped the years of 
> discussion that clearly identified this was the end-goal would have 
> prepared adequately.

HARICA will support any ballot that provides good and clear benefit to 
the ecosystem, taking into account all associated costs, risks, impact 
and effort. That includes CAs, Browsers, Certificate Subscribers, Site 
Operators, Domain owners and Relying Parties. Each "Participant" in the 
ecosystem has a certain amount of "weight". Relying Parties have the 
highest. The current proposal of ballot SC22 doesn't demonstrate 
significant security improvement for Relying Parties (they will see a 
renewed certificate more frequently than before). Re-validating the 
Domain Names annually, from HARICA's perspective, seems to be a better 
solution that meets the same goals as SC22 (thus RPs are more certain 
that they connect to the properly-owned Domain) without the additional 
burden for site operators to replace certificates more frequently. They 
just need to re-demonstrate control of the Domain Name otherwise their 
Certificate will be revoked.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/servercert-wg/attachments/20190827/074b7e1f/attachment-0001.html>

More information about the Servercert-wg mailing list