If and when Google’s proposed 90-day limit for the lifecycle of a digital certificate comes into effect, enterprises must be ready for it. Venafi has launched its own solution.
In March 2023, Google announced an intention to shorten digital certificate lifespans to 90 days. Since then, it has neither confirmed nor denied, nor provided a timescale for this proposal. However, such a move makes sense in today’s environment; and most commentators believe it will happen.
Although the Certificate Authorities (CAs) govern certificates, the browsers control them. The CAs allow certificates to remain valid for a maximum of three years. However, in 2016/2017, Apple announced that Safari would only accept certificate validity for 398 days. The other major browsers followed suit, and 398 days is the current de facto certificate lifespan.
If Google now reduces that lifespan to 90 days for Chrome, the other major browser providers will almost certainly follow just as they followed Apple some eight years ago. This would have two effects. Firstly, it would improve cybersecurity. If data thieves manage to steal a certificate or break the encryption of a certificate, they will only have access to the data protected by that single certificate (which would be limited to a span of 90 days rather than 398 days). Secondly, when future quantum computer power breaks all current certificate encryption, the transition to quantum proof certificates will either have happened or will be faster and smoother with Venafi’s lifespan solution. The quantum-related growing concept of crypto agility will further smooth any future requirement for changes to certificate encryption.
The second effect would be a dramatic rise in the complexity of enterprise certificate management. This is already a problem caused primarily in the growth of required machine identities caused by cloud migration and factory floor automation. Every single certificate will need to be updated 4.42 times more frequently than it is today – which is already problematic.
The two effects of a 90-day lifecycle limit will be better security at the cost of greater enterprise effort. To solve the latter problem, Venafi has introduced a 90-Day TLS Readiness solution. Kevin Bocek, Venafi’s chief innovation officer, explains Venafi’s automated process.
“Being 90-days ready means that you have ownership – preferably by a team, not just one human but a team – of all individual machine identities. In this case, that’s the certificates: you know where they live and where they’re being used. Then you have procedures by which you can rotate them [replace with new]; and you have escalation procedures in case anything goes wrong.”
Most importantly, he added, you have visibility. “You must have visibility into all changes so that you know that they have been successfully implemented.” If you have all this, he continued, you have the technology to change the strategy. “I can use the technology to bring everything closer and closer together. So, whether we need to change out to be quantum proof every 15 days or every 10 days, I can do that. And if I need to change out from a certificate issued by Provider A to a certificate issued by Provider B, I can do that too.”
When this process is automated via a platform, becoming 90-day ready actually means becoming any-day ready. “Without automation, you’ll be hard pressed to establish an accurate certificate inventory, mitigate outage risks, enhance security posture, and ensure organizational agility to swiftly adapt to changing needs and future challenges like post-quantum cryptography,” writes Benson George, Venafi’s director of products marketing, in an associated blog.
“Google’s proposal in the CA/Browser Forum to reduce TLS certificate lifespans to 90 days is an important step toward increasing the web’s responsiveness to emerging threats and technological advances, including quantum computing,” explains Ryan Hurst, advisor to SandboxAQ, Binarly and Spirl – and former head of product at Google. “This significantly decreases the risks associated with key compromises by reducing the value of a key to the attacker. Moreover, embracing automation not only enhances security but also mitigates the risk of outages, allowing organizations to reduce operational toil and free resources to work on more impactful tasks while supporting a more agile and trustworthy Web PKI.”
Venafi’s 90-Day TLS Readiness solution enhances its existing technology to provide full, demonstrable, and visible compliance with the coming 90-day mandate; all done automatically.
Related: Heartbleed is 10 Years Old – Farewell Heartbleed, Hello QuantumBleed!
Related: Venafi Leverages Generative AI to Manage Machine Identities
Related: More Than Half of Security Pros Say Risks Higher in Cloud Than On Premise
Related: Venafi Becomes Unicorn After Investment From Thoma Bravo
