[Servercert-wg] Ballot SC22: Reduce Certificate Lifetimes

Tim Hollebeek tim.hollebeek at digicert.com
Thu Aug 22 07:35:38 MST 2019


 

Here are the comments from the survey.  This is all of the comments we received, with only some profanity redacted.

 

-Tim

 

Verbatim Responses (full text response)

 

3. Do you favor or oppose the proposal to reduce the maximum validity

period for SSL/TLS certificates from the current 825 days (27 months) to 397 days (13 months)?  Why?

 

It is already such a pain to deal with SSL certs. This would in effect double the pain. Please do NOT do this!

----- 

This is overly disruptive for VOIP systems.

----- 

This would currently increase the workload of an already stretched department. We not only have to look at the effect of our staff, but also the 2,300 odd student population we support.

----- 

I favor this change, however, the industry needs to get ACME fully adopted at least with the big players in the market.

----- 

This will fail in the manner of Extended Validation certs. You cannot engineer around an uncaring end user or untrained IT staff, stop trying.

----- 

In a Complex Environement with Certificate Pinning, this would be a big pain!

----- 

This will be PAIN ! if the lifetime wil be lowered furthermore. Ee have so many external customers with external certs. 2 yeas is okay ! can't be shorter ! better to improve security.

----- 

Because I request and replace certificates manually and it will cost me more additional work. Moreover, how will it affect the price of certificates?

----- 

The security of the certificates is not related with the time they are valid. Decreasing the validity period of certificates increases the management of certificates without any gain, in my point of view

----- 

Too much scrambling for manual installs. Automation is a big commitment to undertake and we don't have capacity.

----- 

Keys are like passwords, they should be changed often and made harder and harder to crack. This improvement in the industry is long overdue.

----- 

Needs more evaluation. Decission should be based on facts and statistics and with the end users and companies in focus.

----- 

As a smaller organization we manage over 150 sites ourselves. I don't believe there will be enough of an improvement in security to justify cutting the time in half.

----- 

1.) This would have fiscal impact as the number of (costed) SSL cert units/licences would increase by 85%

----- 

Impact to capital project funding and business approval processes. We can capitalize certificates with project implementation. It's gone from 3 years to 2 already. Business leaders have to approve ongoing expenses and each business unit approves the money for their respective group of certs. Too much operational burden without the proper amount of time to research and implement automation.

----- 

I didn't like the idea of going down from 3 years.

----- 

This is a significant burden on smaller organizations that are not currently sophisticated enough to automate replacement of public certificates. 2 years is honestly too short already.

----- 

Work needs to be done on improving how encryption works. Arbitrarily reducing the rotation period for certificates doesn't really address the problems the industry is facing.

----- 

There is no real word benefit to reduce this further other than promoting their own agenda.

----- 

Decreased period would cause significant impact to staff time required to manage certificates.

----- 

To much work to do it manually in a small organisation with several servers outsourced.

----- 

Many reasons: 1) Most multi-year renewals are offered with a discount. 2) On systems that are going to be in use for many years, renewing the SSL every 13 months is counterproductive at best. Multi-year renewals are much more practical. 3) 13 months? Much easier to do 12-month intervals (1 per calendar year for budgetary reasons)

----- 

Just another way to get more money out of businesses.

----- 

There has been no valid research that I've seen demonstrating the efficacy of reducing the window.

----- 

Legacy services, no automation available, difficult certificate installations. every time it's days of work to manually install certificates on all the different hardware and legacy software devices we have.

----- 

I don't want to have to think about certificates, but we are forced to in order to do business. We are an honest company, and security requirements are a burden.

----- 

More overhead on replacing SSL/TLS Certs for IT Personnel

----- 

This is a stupid waste of my time and money for no benefit.

----- 

This is a stupid waste of my time and money for no benefit.

----- 

The process to verify an organization is a complete farce so I really don't see the point, aside from Google trying to scare consumers and hoping that they believe their lies. All browsers should be using encrypted network communication by default, with no need for certificates at all, except for special cases.

----- 

2 years is already short. As we are short in IT workers, we are afraid that the new IT employees dont have the required expertise to replace the certificate which mean hiring expert happen more frequently

----- 

I think that should be an option not the standard. I may need to do some additional research but for the certificates we use I do not see the benefit of making this change.

----- 

Not exactly sure how shortening the lifetime improves security. Unless a CA or private key is compromised there is no reason to replace a certificate sooner.

----- 

replacing all the certs is a PITA.. please dont make us do it more often.

----- 

This takes a lot of time to do and for a small company its a drain on resources to do this every year!!!!!

----- 

This is an unreasonable burden on businesses especially for EV certificates. While shortening the lifetime of certificates used for website communications might make sense, it makes no sense for other applications of certificates such as code signing where the certificate builds reputation with antivirus products through out its life and a longer life certificate is actually beneficial to the business and end user.

----- 

It appears Google swinging about as the largest gorilla....

----- 

The added security is not worth the hassle involved in updating all the places our certificates are used

----- 

This is ridiculous because this means reinventing the certificate every year through a painful process and verification. I see no justification for reducing the time from the previous 3 yrs. What is Google gaining from this?

----- 

Shorten it and there will just be that many more expired certificates. Plus, Google has already caused enough SSL turmoil in the past three years.

----- 

This would be a huge increase in my workload, I am afraid of missing deadlines for Certs.

----- 

Couldn't care less.

----- 

>From our point of view, if reduced, just another nuisance process to deal with.

----- 

This appears to be the only way to remove certificates that are malicious. Once issued, they are very hard to revoke.

----- 

The internet is being controlled by google. They move with impunity and you have no choice but to play by their game or be out. It is a monopoly and should be broken up.

----- 

If the certificate is secure, why create more work on a yearly basis?

----- 

I oppose anything shorter. How much is really changing anyway? I've lost a website or access before because it can be challenging to keep up with all the requirements. That is why I typically renew everything for as long as possible.

----- 

The costs outweigh the benefits.

----- 

Renewals of contracts is becoming a full time job! In this case we're confident in Digicerts ability to be a high security certificate provider.

----- 

This will be a large increase labor.

----- 

I don't see the reason why. 2 years is a reasonable amount of time. It will create an impact worldwide. What's next? 30 days validity certificates?

----- 

This is stupidity

----- 

Google can go to hell. They are evil and anything that they want is not good for the people.

----- 

This places an additional burden/impact on small businesses.

----- 

This would impose a huge burden on our company, as well as several other companies I have discussed this with.

----- 

This really sounds like a solution looking for a problem. What next? If this doesn't help (and it won't) drop it to 6 months? 3? 1? Daily? It's quite stupid actually.

----- 

This becomes impactful to operations of mid-size and larger environments. It will increase the workload, and potential of issues as certificates must be refreshed more often.

----- 

Don't fix something that isn't broken. 

 ----- 

As far as I know, there are no automated programs we can use that will renew our certs on the web servers and then immediately export a copy of the cert to our web firewall, which is what has to be done every time we replace one.

----- 

More work for me and Google and Apple shouldn't be able to dictate how the internet should be run

----- 

It introduces yet more work - has no demonstrated value - and yet one more place for human error or malfeasance 

 ----- 

Cost

----- 

Because I don't need more busy work.

----- 

While it is true that certificates can be stolen and/or hacked, replacing them more often follows the same logic as changing passwords more often. In theory, changing passwords more often reduces the amount of time a password can be used maliciously. In reality, changing passwords more often makes passwords less secure as people end up taking shortcuts, changing only one number, writing them down, etc. Changing certificates more often is going to increase the overhead "cost" of having certificates implemented and increase the chances that the certificates being mismanaged. And while automation does exist to help offset the workload, any application implemented only decreases the security of a system as it increases the attack vectors on said system.

----- 

We are not currently using automation to manage certificate lifecycle and would prefer to look into automation prior to a change in certificate lifetimes

----- 

The level of automated certificate renewal is still not there for many types of systems and devices, especially those where a certificate has been generated for an individual piece of I.T infrastructure (I.E a SAN or a Serial Console server). We're not opposed to lowering to 13 months in principal but only when 90%+ of currently supported I.T equipment/Infrastructure/Systems support automatic renewal, As it stands this change will lead to more service outages and people seeing certificate warnings than they currently do

----- 

Increased security offered by a shorter term certificate seem likely to be helpful in reducing the potential for fraud. The effort of replacing certificates, even in an enterprise with many certificates, can be a manageable, anticipated task. Tools to automate that process are already available. A mandated ultimatum is an effective influencing motivation for bureaucracies with slow feet. If you build it, they will come.

----- 

The certificate validity period should be chosen by the organization based on their security needs and cost structure.

----- 

My clients range from 5-user to 100-user networks. They have to pay me to keep their certificates updated...as well as pay for the certificate. If there is no real benefit to changing the validity timeframe, it is just adding an unnecessary cost to their bottom line. Nowadays, we have to secure public websites (thanks Google) as well as private/secure servers so it is already more expensive than it used to be.

----- 

The increase in security is far outweighed by the negative impact on companies such as us that manually has to upload these certificates to dozens, if not hundreds, of devices/hosts.

----- 

For a small staff this can be quite a burden to change multiple Cetificates so often.

----- 

The impact for our IT department to replace all the certificates for industry machines and Servers would be outrageous, it was already incomprehensible from 3 years to 2 years, but reducing again is just not practical anymore and we would have to think of alternatives.

----- 

I don't understand the trade-off enough. Why does a shorter validity period improve security?

----- 

Our services do not change often enough to warrant a renewal effort every 13 months.

----- 

Ideally short lived certificates should be used but would require E2E automation.

----- 

This negatively impacts small businesses. Keeping up is already tough, adding shorter time periods and additional cost is a TERRIBLE idea (only good for the biggies Apple, Google, Facebook...another example of pushing the little people around) STOP DOING EVIL!!!

----- 

While we understand the importance of security, we feel reducing the time down to one year is unreasonably disruptive as it requires regenerating all certificates yearly.

----- 

The revocation process is terrible. Hard renewals at short intervals will help by giving a fail safe to ensure valid certificates. 

 ----- 

While we want to ensure the highest security possible, there are many other changes that would have a greater impact on securing web sites and other certificate based exchanges. This looks more like a "money grab" than an effort to truly improve security.

----- 

The renewal process is a hassle. We see no benefits to reducing the maximum validity period.

----- 

The better solution is to re-architect the certificate revocation process, thereby allowing revocation to work even faster than expiration. Shortening expiration doesn't really solve the root issue effectively.

----- 

Unnecessary added cost and concern for software/appliance acceptance as relates to software solution/version.

----- 

The automate cert replacement/reminder can only go so far for some as it's dictated by setup. I believe the standard of 2 years achieves it"s purpose and does not need to be shortened.

----- 

Certificate management is already a hassle. Reducing the maximum validity period would make it much worse.

----- 

It takes weeks for us to redeploy certificates on our many systems. 

 ----- 

Whatever the best measure is for security. I will let brighter minds than me decide that. But security trumps all.

----- 

I see no compelling reason to shorten the validity period of certificates further. Sufficient security measure are already built into the certificate and certification process, such as being able to specify which hashing algorithm is used in the certificate signature, and the key length, and automated verification of the domain being certified.

----- 

I see no compelling reason to shorten the validity period of certificates further. Sufficient security measure are already built into the certificate and certification process, such as being able to specify which hashing algorithm is used in the certificate signature, and the key length, and automated verification of the domain being certified.

----- 

I favor the shortened validity period proposed, but agree with Digicert's position that there should be no rush to implement the changes. I agree that the discussion should include a timeline that allows for companies to properly plan for shorter lifetimes.

----- 

We are a smaller institution that already struggles with Certificate replacement. Working with a multitude of vendors and the lack of general certificate expertise with these systems poses real issues for us.

----- 

compromised certs can be revoked, so use that mechanism

----- 

As a small company, we don't have the funding, time, and expertise to easily replace certs. It's generally a tedious process that must be done off hours and takes my team hours of trial and error. Every 3 years was tolerable, every 2 years has been inconvenient, but every year is absurd.

----- 

I completely OPPOSE this proposal. In my opinion annual renewal of all certificates is unreasonably disruptive and not worth the benefits.

----- 

The more frequently certificates have to be replaced the more burden it puts on our small, resource constrained, organization. Also, do not understand the security benefit of shortening the validity period. This is equivalent of arbitrary password changes.

----- 

This creates a tremendous burden for any organization that does not have full time or robust I.T. departments. It's more cost to hire consultants, more cost to purchase additional certificates, and most cost in terms of time and pain. The result will be certs will expire and folks will just be asked to navigate around the browser warning messages - defeating the benefits.

----- 

This is an excuse to avoid making certificate revocation technology work right. Expiration is inferior to revocation both tactically and strategically, but browser vendors and other TLS/SSL implementors have failed to step up and fix cert revocation.

----- 

2 years for OV and EV certificate is great. Don't forget the validation process.

----- 

How often are certificates older than 397 days actually invalid certificates? The point is to protect users, but how many are invalid and thus require to be re-certified?

----- 

Seeing as how this proposal does nothing to increase security of TLS traffic itself and does not actually decrease malicious behavior by bad actors we see no reason to implement this type of change and actually increase the more frequent possibility of introducing downtime while replacing certificates on mission critical servers. IIS/Apache/etc are easy, so long as human error isn't an issue, but other systems are not. We recently experienced a day long outage on a mission critical system trying to replace a certificate. Luckily, today, we don't have to do that again for another 2 years. We still wish it was 3.

----- 

IMHO Certificates should be valid for about 5 years: (barely lifetime of average server/system.

----- 

I oppose any Google-led changes to certificates in general because I'm concerned that it will be used as a tool to censor and block websites and servers that Big Tech arbitrarily decides are not suitable for the public. This is none of their concern. They have already arbitrarily decided to stop trusting various CA's, which has twice led me to scramble to replace my certificates. Not good.

----- 

This is a net gain for the wider community and clients everywhere. there's not a large increase in the amount of work, and in fact, performing manual cert tasks more often can help drive innovation and automation (or at the very least help keep it fresh in mind and not have the operations team have to re-learn how every 800 days..)

----- 

There is no clear benefit to the proposed changed. It's a theoretical at best.

----- 

Increased security and trust

----- 

This is an overall win for the security ecosystem. Certs are a way to put a "timer" on a TLS site, the forces more-frequent attention to them, replacement of keys, etc.

----- 

Lifetime of certificates should not be more than 180 days for the below mentioned reasons - 1. It will bring automation in certificates renewal/update at server side and will minimise the probability of certificates expiration 2. New policies can be implemented in an easier and faster manner like SHA1 type of cases 

 ----- 

I feel I being scummed for more money, if this is a security issue you need to find other ways to ensure customer satisfaction.

----- 

We use a wild card certificates and it takes a long time to reissue them all at once.

----- 

We prefer extending the maximum validity. 2 years is short enough, too short, and longer would be much better.

----- 

I don't understand the purpose of reducing the validity period. What is the supposed advantage to shortening the period? For who? Is a shortened validity period more secure than a longer one?

----- 

Decreasing the term would necessarily put more sites at risk because they will expire on a more frequent basis. If the goal is to guard against hijacked sites, why not improve the process to prove ownership of a given site?

----- 

It decreases the attack surface by reducing the number of days and will help spark more automation around TLS certificate renewal

----- 

I strongly oppose this proposal as this would add more time investment for every company replacing their certificates. This change ironically doesn't affect the big companies that are making this proposal such as Google and Apple, only the small businesses that have to deal with the outcome.

----- 

This will be an increased burden and cost on small companies like ours. For large corporations like Google, the increased cost is minuscule and of no consequence.

----- 

The burden these changes placed on small businesses is slowly making it harder and harder to run a business.

----- 

I work with a large number of small and disadvantaged businesses. Moving this certificate requirement to a much shorter timeline adversely affects these business who may not have the resources necessary to keep up with the added costs.

----- 

This would cause additional stress and burden on management, finance, and IT. It would also disrupt current process and add unneeded costs.

----- 

I think the minimum period should be at least two years.

----- 

Our primary concern is the certificates used for our RADIUS servers EAP authentications over 802.1X. Without installing a private CA on every client device (staff, faculty and student) we must use a public CA for the certificates. Whenever we change certificates this introduces a number of negative impacts on both our community and the support services that are offered to our community. Shortening the life of the certificates increases the frequency of these disruptions for our users.

----- 

This would be a financial impact upon our company

----- 

The only benefit I see, is that it forces companies to update their certificates when there's a change in security. But that should be down to the companies to sort anyway...

----- 

There does not seem to be sufficient benefit to justify the added effort.

----- 

There is no evidence that shortening an SSL certificate's lifespan further increases security and the process of renewing multiple certificates on more rapid time tables is onerous and expensive. Furthermore, I've had about enough of Google posing as the industry's un-elected leader/emperor.

----- 

Less chance of invalid certs slipping through and shortening the lifespan of certificates issues to sites with bad intentions.

----- 

This impacts IOT developers if their devices don't have a connection to the internet, but still need to use SSL and a browser based GUI.

----- 

This creates added workload fore little security benefit.

----- 

It causes more hassle and expense. Validity == RenewalFeeDueDate

----- 

More processing to follow

----- 

Not all systems can be automated. Shorter validity means these systems need more attention or are forgotten, reducing security.

----- 

Too much work

----- 

If the trend continues we will need to update every week!

----- 

There is absolutely no advantage in doing that.

----- 

When you have a big company like ours you have a large amount of certificates and keeping up with them is hard enough when it is two years. but one year you would be for ever replacing them.

----- 

This imposes a huge overhead of administration to inspect, renewing and replace SSL certificates throughout the companys many many websites and service.

----- 

We would also favor reducing it to 90 days.

----- 

Currently I dont have any automated processes to replaces cerificates and having approxiamatley 13 certificate s to deal with every two years is time consuming as it is.

----- 

Placing this additional operational burden on businesses is not wise. There needs to be a balance here. 2 years is reasonable.

----- 

This offers no improvement for security, causes industry-wide disruption, and is driven by a desire of specific companies to control the industry, not by genuine need for reform for the benefit of the industry as a whole and the worldwide billions of users. It must be resisted in every possible way.

----- 

This adds an additional burden in administering certificates, and there is no benefit for us. Also I note that the companies proposing this change are very large and highly profitable, so they won't care about increased costs.

----- 

I don't see significant value in shortening the certificate lifetime from 2 years to 1 year. 2 years feels like a reasonable tradeoff for cost/complexity of reissuing and redeploying new certificates in an infrastructure vs. ensuring certificates are following the current best practices. If best practices are evolving so fast that 2 years isn't sufficient time for a transition, then that puts into question the whole model of certificate-based trust and whether we should even be relying on this technology to secure our systems to begin with.

----- 

too much extra work required

----- 

I am not convinced it will improve security.

----- 

where is the evidence that this will increase trust of certificates?

----- 

Mandatory certificates for sites that do not handle personal or financial data is bad enough.

----- 

We have a lot of old programs that have to have the Cert added Manually and can not be automated

----- 

It keeps my organization and others safer by not leaving dangling long running certs around.

----- 

Increased cost for no perceived benefit

----- 

In essence I oppose it. However reducing the validity could improve security

----- 

In essence I oppose it. However reducing the validity could improve security

----- 

Just increases the overhead, I'm already busy enough.

----- 

reducing the validity time will make renewing certs a full time job over our huge enterprise. I believe if an organizations want to use 367 day validity, go for it, but leave the rest of us at 825 days.

----- 

When people do something infrequently, they do it "well enough", but when people do things frequently they find ways to do them well, which makes them easy.

----- 

When people do something infrequently, they do it "well enough", but when people do things frequently they find ways to do them well, which makes them easy.

----- 

It adds overhead to organizations running their own infrastructure, without adding any real security. If the risk is due to people misplacing certificates, having them expire every year or two don't change anything. If there is a cryptographic risk, expiration is again mostly irrelevant. Maybe it is just Google trying to push more people to their cloud offering, making live difficult for the rest of us?

----- 

Moving from 3 to 2 years was already a hardship. It takes lots of time to update everything, especially with a variant of platforms and multiple consultants need.

----- 

This seems like a money grab to me, requiring certificates more often, for very little gain. 2 year certificates are not a large enough issue for the amount of work.

----- 

Automation of certificate renewal is very important and the shorter they are valid for the more motivation there is for automation.

----- 

We have encrypted all of our internal systems, as well as external facing systems. Updating certificates is already a burdensome exercise. If a certificate is forgotten it causes a service disruption. In addition, publicly signed certificates are needlessly expensive. Reducing the time for certificate renewals in this way will effectively double our certificate security cost.

----- 

It cause more frequent downtime that affecting business and our customers.

----- 

In the future, yes. But we are thinking it is very hard and also costs a lot when the certificates expire more quickly. It is because we have to replace the certificates by hand most of our on-promise system.

----- 

I see no reason to shorten the validity period.

----- 

I object to shortening the expiration of a certificate because I don't know why it should be done. However, even if it is shortened, the impact on the business of our company is limited since it is mainly provided for one year.

----- 

IT Change Control and Procurement Cycle of Certificates is approx 60 days at the moment,

----- 

Too many entities to take care of more frequently in an ever scaling down staff environment. Managing certificates itself will now be a bigger botheration.

----- 

We are a small ICT team. The job to replace the current wildcard certificate we use in all locations is a heavy exercise and not an easy one. You will have more of a case of people getting blocked from accessing sites as IT teams struggle to have to renew this every year in essence.

----- 

I strongly favor reducing SSL/TLS certificate validity periods. Code signing certificates and other certificates that aren't as easily automated would be a different story; but it's 2019... any business that hasn't automated the majority of their renewals by this point is stuck in the past.

----- 

If a certificate is compromised, it can always be revoked.

----- 

The costs of administration are too great with trivial actual improved value to our customers, our reputation comes from our processes and our degree of care, not from how often we change certificates

----- 

A cutback to 13 months only creates more work for the administrator. It does not bring more security. In addition, it has the connotation of money making.

----- 

We purchase hundreds of certificates with two year lifetimes. We also maintain our own internal CAs, and we process thousands of internally signed certs each year (2 year lifetimes) on top of the hundreds we purchase for external use. Despite what the various "automation" functions like Venafi claim, there are lots of manual tasks involved in renewing/replacing certificates, especially on many platforms not directly supported by such automation (for example, any cert usage on our IBM z-class Mainframes).

----- 

I dont understand why shortening the period will actually help security, just increases the overhead of management.

----- 

No security increase. increased inconvenience.

----- 

As a small company we can't have dedicated resourses to keep trac of certificates. Automation i susually too expensive.

----- 

first, detaled discussion should be done

----- 

I feel that this will apply pressure to companies to automate their processes. Renewing certificates must not be a manual task.

----- 

It puts additional work load on loading new certificates and we cannot see how how it increases security.We would rather focus more on our business and avoid unnecessary red tape.

----- 

This has an increase in cost and carries no significant improvements as this will have no impact on scammers engaged in illegal activities.

----- 

that wouldn't make sense. we provide SaaS service to clients and we'll have to replace the certificates every year which amounts to a lot of work.

----- 

This is a ludicrous idea. The maximum Certificates lifetime should return back to 3 years or 36 months and the certificate revocation/validation systems in place should be used, with the extent of their use depending on the application. If certificates cannot be trusted for a period of time, while not force reissuance daily/hourly/real-time? Isn't the whole point that you don't need to contact a 3 part in real-time?!?

----- 

Most certificates have e lifetime of two years. As automatic replacement of certificates still involves a lot of work. Certificates are also used for authentication (mostly SAML login for SSO purposes), not only a https website. Replacing a certifcate involves also communicating your public key part of the certifcate with other patries, The replacement has to be at the same time, not al companies are capabele of using two certificetes to prevent downtime of SSO login facilities.

----- 

Not every business has dedicated resources to manage and maintain security. Some of us have to juggle multiple priorities on multiple IT disciplines.

----- 

To much overhead work now already.

----- 

While it is additional headache to have to update these certs more frequently, the larger issues is with customers that integrate and do not use public root certs. Whenever a cert change is made, there are always customers that lose connectivity as they ignore the advance notices.

----- 

We are a small shop with limited staffing. Certificates This reduced duration would require additional time each year to refresh our list of certificates.

----- 

I favor reducing certificate lifespans to max 90 days

----- 

I feel like it is just another way to squeeze more money out of companies for very little improvement on security.

----- 

two years is adequete

----- 

Not all SSL/TLS certificate deployments are intended specifically to secure a socket. In a self-signed certificate environment involving the workstation local loopback address, certificate deployment is less about securing the socket and more about complying with overly broad compliance/security policy. Such environments are common in the financial services industry and the proposed policy change would have direct negative impact on tens of thousands of legacy deployments.

----- 

It is not clear to me how this will increase security.

----- 

There is NO legitimate reason for it.

----- 

There is no benefit and major hardship created to shortening certificate lifetimes. It's simple for zero-authenticated DV certs and dilutes the benefit of authenticated certificates. I was involved with the creation of the SSL Protocol for the Financial Industry. The goal was to layer authentication on top of Encryption. This push to short-lived certs is simply a masquerade to move the industry backwards to non-authenticated certs that can be issued automatically without human review and authentication.

----- 

Oppose if it affects self-signed certificates.

----- 

Can't see any good coming from this change.

----- 

I believe that this will make browsing more secure overall.

----- 

There are many websites that are marketing-driven websites that now require a certificate to avoid the "not secure" message in several browsers even though the content does not necessarily need to be protected by a certificate. We have several websites like this where a 27 month certificate makes more business sense. I supported the move to 27 months because 2 years felt like an acceptable maximum. Tightening down to 13 months seems like overkill.

----- 

We have a small IT team, and replacing certificates more frequently puts a strain on our team.

----- 

We do not have the expertise or sophistication to implement automated certificate renewal routines so this change will increase the risk of certificate expiry which will impact our various web based communication systems as well as increased workload and support costs to have these certificates renewed and installed

----- 

I would like to understand the delta risk profile ; likelihood and impact, between the two options to validate the acceptance of the impact of the change. I cannot get any evidence from our security personnel of a quantifiable likelihood and impact risk benefit of moving from 2 years to 1. How much benefit to risk profile would this change provide.

----- 

I saw no merit in reducing the valid period from 3 years to 2 years. I see absolutely no justification to reduce the valid period yet again.

----- 

Security is a matter of levels. The weakest link determines the total level. The concept of levels of confidence should remain available within certificates as well: validity time difference is one aspect of that. Please don't fool users due to insinuating it is a secure environment by enforcing imaginary better security. In no circumstance should a client/browser deviate from well-defined standards like relying on certificate validity date.

----- 

No valid reason has been put forward. The only reason i can see for this change is a money making scheme. It makes it MASSIVELY frustrating for implementation and an Administrative overhead small companies could do without. Put forward a valid argument for the change or leave it alone and stop messing about.

----- 

Already a burden to renew them every 2 years. The installations are in several machines and automation is not available for that.

----- 

extra cost to the end user, greater invonvenience.

----- 

More unproductive work - more overhead with little gain in security.

----- 

Out of security reasons. Technology is leaping forwards, security should follow.

----- 

I would rather see larger cyphers, we put a lot of energy in securing, patching and monitoring servers. This also means detecting that something has happened in the case it did. In that case any length or any timeframe is not sufficient. And the cert needs to be replaced immediately and everywhere

----- 

Reducing the certificate validity period increases IT workload and increases the probability of error associated with installing the certificates properly, in a timely fashion.

----- 

This simply creates more work without strengthening the security.

----- 

it is about re pleasing those certificate on many location (starting at F5 published service, trough individual services outside of our organization

----- 

I feel that this will only cause more harm than good. I do not see how reducing validity times for a certificate will produce an increase in security.

----- 

It seems useless to reduce certificate validity - this will not improve security and create complications for users

----- 

It’s no big deal

----- 

Automation simplify is much more important than the certificate validity period. All certificate validity periods is to much work to do manually. So changing from 2 years to 1 would not require any significant change to operations.

----- 

Theoretical more secure and as organisations need to renew certificates more often, the automation solutions will improve and in general people will become a bit more aware of certificates and what their role is

----- 

It is a pain in the neck trying to keep up with the renewal of the Certifications. We would rather prefer that it be pushed out as much as possible to decrease workload and hassles. People are apt to forget resulting in lapses and not good for business.

----- 

Often this process is repetitive, tedious, and manual. 2 years is a nice balance between convenience and security. If approved, it may lead to more sites left unsecured (HTTP), which would be bad.

----- 

I would have validity for 3 years 

 ----- 

Better for everyone

----- 

The maximum validity period should be lower, 6 months is perfect

----- 

Changing from 2 to 1 year certs is going to double the burden of maintaining certs on our team. Why not address the root cause of the issue (revocation not being enforced)?

----- 

Would encourage automated certificate replacement so lifetimes could further be reduced in the future to days

----- 

This just seems to be a exercise to harass customers both by CA and browsers. Why can't CA have a stricter validation and based that provide the necessary validity instead of a blanket one? Why does browser bother about https security if a renowned CA has validated and certified; don't they trust CA?

----- 

More added costs which will increase out client pricing which could lead to clients switching to a competitor.

----- 

I want to go back to the 5 and 8 year lifespan!

----- 

While we use Let's Encrypt for most certificates due to cost savings, this idea is stupid. Especially for Windows environments for automated SSL renewal is much more difficult, a one year standard would be a lot harder to comply with

----- 

Customer should has the flexibility.

----- 

This system needs to be automated and simplified

----- 

Fast updates are good for security

----- 

SSL certs should be renewed automatically anyway, so this kind of forces customers into the right direction. E.g.the debacle with that one Italian CA which needed months to revoke bad certs shouldn't be a thing

----- 

our company have multiple serverd and replacing all take downtime

----- 

This reduction better addresses issues with revocation and minimizes damage from any unknowingly compromised certs.

----- 

I see absolutely no change in security, helpfulness, or anything related to positive changes except to see when the website is still active or not and updated cryptography methods.

----- 

I STRONGLY appose this. It is already a pain, we have never had a situation where we needed to revoke a cert, I don't understand why companies obtaining the certificate do not dictate the expiration time frame.

----- 

This causes unnecessary renewal/replacement of certificates to support TLS.

----- 

We are a banking institution and due to various security standards and procedures that we have to follow, the automation of certificate renewal and replacement is impossible. For example, new certificates must also be imported in IPS Systems/Web Application Firewalls, in order for the HTTPS Inspection mechanism to work and check the traffic for malicious requests. Also, due to failover mechanisms and redundant servers, changing the certificates is often a time-consuming procedure.

----- 

Shorter certificate lifetime should be possible by choice not by order!

----- 

2 years is already way too short. With the number of domains and systems impacted, reducing even further would create an undue burden in additional labor overhead and certificate costs

----- 

Makes the web more secure; everyone should be using automation where possible and renewing them as often as possible

----- 

I work for a nonprofit. SSL certificates are expensive, even with nonprofit discounts, donations, or grants, and we are required to have them to meet state and federal compliance regulations. And yet, most of our needs that require the certificates are inward facing. Reducing the time period only increases costs and overhead. There is no compelling business reason for us to support this and I believe that it may drive many smaller nonprofits out of business. Even SMBs will be affected as they'd have to pass on the increased costs in money and labor to keep certificates up to date for their clients. A lot of small businesses and sites can't afford it as it is, this is only going to make things worse. There are several user led forums that provide lively discussion and communities that cannot afford this, nor have the expertise to update their certificates and they will close as more and more people will be unable to get past the certificate errors in their browsers, it'll make the internet even more controlled by big businesses and less user friendly

----- 

Additional work/cost for no business benefit

----- 

This change would add undue hardship to our very small IT team with little to no security benefit to us.

----- 

Every 2 years is short enough.

----- 

Places burden on smaller IT departments

----- 

We have a small staff, and keeping up with expiring certs and renewing them is a burden.

----- 

Most certificates have to be managed manually. It's an onerous process to update all off and on premise solutions twice a year. We often have about two months of overlap between the old certs and new certs. Reducing the life to a year would mean we begin the renewal process every 10 months.

----- 

Our purchasing process is very onerous and slow. There are a lot of hard and soft costs associated with each purchase and we try to limit them as much as possible.

----- 

minimal incremental effort for some security benefits

----- 

There is no benefit to this. It is only giving people a perceived security benefit and there is nothing that would benefit anyone, other than issuers of the certs that we pay for.

----- 

If certificates are known to be compromised, they can be revoked. This step down from 27 months to 13 months doesn't do anything else significant to secure the web.

----- 

That's really still too long.

----- 

This will create a significant amount of extra work for us.

----- 

We have 30 pcs SSL certificates being used. The reduce of maximum validity period will increase our resource on manage these certificates. Moreover, we're not sure the improvement on security if reduce of maximum validity period.

----- 

We have about 130 employees but only 4 devs and 6 IT staff. We have yet to revoke a certificate and reducing the expire time only doubles our overhead and maintenance. It would seem a better solution would be validating cert validity against the issuing authority instead of just waiting for them to timeout as it were.

----- 

 ----- 

 ----- 

everything digicert says i agree with - renewing is a PITA and i want to leave it at 2 years

----- 

 ----- 

 ----- 

In my opinion, it needlessly increases the amount of work for IT professionals and it is probably going to impact certificate pricing as well -- while companies like Apple and Google do not need to be concerned with expenses smaller companies like the one I work for do. The validity of certificates should be in line with the validity period of personal identification documents. In most countries personal ID card and passport are valid for 10 years and that should be maximum allowed validity for a certificate as well. Those who are concerned about security are welcome to change them every day but at their own expense.

----- 

 ----- 

 ----- 

There is no benefit to reducing this validity period. Legit use of certificates will not benefit from this, it will just add more admin time to renew these certs more often, the price will be more expensive since CAs cannot give multi-year discounts.

----- 

13 months is the right validity period.

----- 

Based on the amount of time it takes me to submit, submission approval, get approval for purchase, validate URLs, purchase, install, and update, the reduction in the validity of a digital certificate would have a significant impact on my companies productivity and responsiveness to clients

----- 

Security is the main driving factor for this change and I fully believe that this is the right way to go. As a responsible service provider it is a responsibility to implement a smooth and automated signing process which is effectively makes it irrelevant how often it should be done.

----- 

If the certificate is properly vetted when issued, there is no reason to question its’ continued validity.

----- 

Do not see the need. Would create a lot of extra time and effort working on domain certificates

----- 

End-users should be given freedom & option to choose TLS/SSL lifecycle depending on per-use basis & internal decisions on security-cost analysis.

----- 

Long term SSL certificates are more appropriate for certain work loads, shortening the time discourages their use in locally hosted applications, or internal applications meaning sensitive data is sent over plain text.

----- 

Too many steps/too much cost to renew 3rd party certificates to update these on an annual basis. Use CRLs to revoke bad certs and simplify the process of deploying new keys before reducing the time period.

----- 

I see no technical requirement or reason to force this change on business. There are significant costs and complexities associated with Certification renewals. Massive organizations have entire teams dedicated to these processes, smaller entities do not and will not, this directly impacts their ability to adopt this proposed change which in the end of the day will cause them not to adopt meaning we will have more insecure sites.

----- 

Increased work due to frequent installation, Difficulties in Certificate Management

----- 

Its ridiculous, there is no proven security benefit to this, it is simply corporate giants flexing so that they can achieve a greater payday. They have there own CA's so it doesn't cost them a cent, for us certificates are not getting any cheaper

----- 

Managing certificates for one company is stressing enough. Managing it for hundreds of chstomers, renewing every 13 instead of 27 months would be killing us, we had to hire additional employes.

----- 

It's nonsense. People will hate this idea as they do not like the current vetting process. They will choose Let's encrypt instead of OV/EV certificates and this won't lead to any better security.

----- 

The increased administrative burden and substantially increased costs associated with the doubling of identity checks will discourage small businesses from using certificates wherever they feel possible and likely lead to a reduction in the use of SSL and therefore negatively impact security and privacy. Smaller businesses without the revenues to implement renewal automation (especially given its questionable ability to prove identity) will no doubt be more adversely affected than large corporations. The length of the tail on certificates poses no real issue around the retirement of legacy signing technologies etc. If security issues are discovered the Browser Forum offers ample solution to collectively agree to deprecate flawed technologies requiring the in-life replacement of affected certificates without the need for vast quantities of premature renewals by all users.

----- 

Completely ridiculous to do this, the administrative overhead is a real nuisance. Google more and more behaves like "we rule the world".

----- 

I strongly oppose further reducing the validity period of public certificates

----- 

It's not practical to renew the TLS certificate every year. It's better we get 2 year to renew.

----- 

Shorter lifetimes means more work in regards to replacing/maintaining certificates. Even a certificate with a validity period of one month can be used for the wrong purposes. I think we will be pushing of our customers.

----- 

Changing this timeline will increase the overhead on the IT teams and more non compliance and added costs on organisations with large certificate counts. Also, there is skill gap for the installation of the certificates accross different types of servers which delays the certificate installation for more than 15 days. Reducing the no. of days of validity will also increase the more effort for verification processes.

----- 

I don't this will significantly increase security of TLS certificates. Only the rise of quantum computing that could break the current encryption standards could be a risk.

----- 

Reduction of certificate life does not increase security, but it does dramatially increase our direct IT expenditures in labor and end user impact for potential outages. Every time certificates expire, there is significant IT labor required in order to update and change those certificates.

----- 

Depends of that kind of certifiacate, and how we can update to later version of certficates.. If we can get a procedure/scripts similar to lets encrypt to work, we can have shorter lived certifiaces, because it is automated once set up. But if we need manual updating, they should be as long as possible, or else the work will be not done in a good way.

----- 

3 years was too long. 1 year is too short. 2 years is perfect. TO GOOGLE and consortium, let's start with a simple fact: SSL is not as important to everyone as you would like to believe it is. If you keep squeezing, you risk further alienating your audience. I personally manage hundreds of internal domains at my company and its quite a workload since I have other duties that are considered more important to the business. The whole distrust process was extremely painful and confusing at my organization for teams that don't think very much about SSL. That's why they need me, but, its been very hard to manage and communicate this when SSL is not their top priority in the world. It would be a significant hardship on me and my dev teams to reduce the limit to 1 year. One thing is doubling the time spent. Another is doubling prod change requests. It's OVERKILL on the corrections that the industry made recently. Stop where you are, you already accomplished the goals. Well done. Linux Internal Operations Engineer at a large hosting company

----- 

I do not believe there is any practical basis for this change. We have never had a certificate compromised. Two years is a completely reasonable amount of time. This change will take excessive time to manage certificates and in the end we NOT result in better security.

----- 

A lot of work need to change certificates

----- 

This won't add anything to the security of the sites involve. it just makes more work for the people maintaining them. I see no evidence that this would help in anyway.

----- 

Ridiculous. The CA's are only in it for the money. The time this sucks up in support is stupid. Don't do this to the community. Get it together! This will not increase security people, it will just increase our workload.

----- 

Increased cost and Adminitration for end user

----- 

There are plenty of deployments of SSL/TLS certificates for mobile application which uses SSL pinning concept. Now certificates with more shorter life shall operationally be difficult (release new builds after every year) for our customers which mostly are from financial sectors.

----- 

Most firms have a hard enough time with rotating the certs they currently purchase at 24 months. If Google wants to rotate their own certs more often, that's fine they can do that, Most companies aren't Google.

----- 

It will cause additional workload for most companies. There is no legitimate reason for such a drastic shortening.

----- 

As with the previous reduction from three years to two, this further reduction shows no comprehension as to the impact such a change would have on smaller organisations. While the proposer (Google) is ideally placed to inflict extra work on small businesses at no significant cost to itself, expecting small businesses to pay for the work is unreasonable.

----- 

I believe the risk of security will not be so important as the time consuming of each company to renew each year its SSL Certificate.

----- 

Due to operational difficulties that will arise on the end-user customer side.

 

 

 

 

 

 

 

 

 

 

4. What  would be the impact on your organization if the CA/Browser Forum approves a ballot

reducing the maximum validity period for SSL/TLS server certificates from the current 825 days (27 months)

at present to 397 days (13 months), effective for new certificates issued on or after March 1, 2020?

(Existing certificates will remain valid for their full term).

 

 

Additional hours and expense would be incurred.

----- 

A significant burden costing us time and money.

----- 

Its just one more task to remember

----- 

Significant in terms of time needed to replace certificates twice as often on over 500 and as many as 3000 workstations. Automation often fails due to security options required by DISA & FISMA.

----- 

additional unnecessary cost

----- 

This will significantly impact our workload in refreshing certificates across our organization, as well as vendors that provide services for us. We must purchase the certificates and provide them to our hosting vendor. This also includes installing the certificates on servers and within applications across our environment.

----- 

Minimal

----- 

We would need to renew anything that needs renewal next year before March 2020, and then try to figure out a plan/schedule for the faster replacements manually, unless there's some form of automation that can import renewed certificates to our firewall every time they auto-renew.

----- 

Increased workload on an understaffed department. This creates additional work and just adds to possibly that something may be overlooked due to the fact that there are many certificates all expiring at staggered dates. It will be a constant burden to check at a much more frequent interval to ensure nothign is expiring. Smaller companies do not have the level of automation that larger companies do not to mention dedicated resources to stand watch over this area.

----- 

Time that could be spent doing other tasks will be spent upgrading certs. Unless cert prices are adjusted it could possibly cost more for them

----- 

We would have to switch to an automated system for updating certificates. Currently we utilize Citrix Netscaler, which DO NOT support any form of automated certificate updates.

----- 

More trouble for not significantly enhanced security

----- 

Spend more time and money

----- 

It would mean more busy work for something that doesn't add value.

----- 

No impact.

----- 

In the short term, none, as my certificates all expire in June of 2020. In the long term it would mean having to replace the next batch of certificates sooner. As with anything, if you're doing one 'project' that takes time away from other 'projects' which could mean anything from documentation not being updated to delaying security patches.

----- 

more work to monitor and control renewals

----- 

We have a small IT department, shortening the validity would require more time from IT staff that would be better utilized in other areas.

----- 

Significant

----- 

A higher workload for I.T operations staff An increased likelihood of outages caused by certificates expiring An increased likelihood of non I.T users seeing certificate warnings and ending up clicking through them - which will overall lower security

----- 

Negligible impact.

----- 

Cost of renewals and DevOps work.

----- 

Even more pain, going from 3 to 2 was annoying. 13 months is even more onerous for manual systems. 

 ----- 

Some end users (customers who install and use our software) won't be able to install a version that is dating more than 13 months. Currently, we cannot timestamp our applications for technical reasons (Win 7 being one of them). Therefore, this will force us to invest time to fix this (already in the mid-term plans).

----- 

Increased maintenance costs.

----- 

Since we would have to manually update a long list of servers every 13 months, this creates a burden on our already overwhelmed non-profit IT department.

----- 

Additional support costs each year for each server that has external Internet exposure. We already do external security audits each year for the servers we manage. If the certificates pass the security audits they should not have to be replaced. ...and why 13 months? That is arbitrary as well. Why not every month or every week?

----- 

Increasing cost to renewing the certificate

----- 

Several days of loss work time per 13 months.

----- 

More work for a small overworked staff

----- 

Additional costs

----- 

Again, this would generate a huge burden for our IT Department to renew all certificates that often

----- 

If 397-day certificates cost just as much as 825-day certificates, then we will be spending more than twice as much money on purchasing new certificates. Whereas we have so few places where we use a certificate that we are unlikely to automate the process, having a shorter validity period might help us because it may be easier to remember the process once a year, rather than once every two years.

----- 

Increase in workload and overall cost to the business

----- 

It would unnecessarily increase our work load and pursue other options.

----- 

Unnecessarily increased costs with very little benefit

----- 

This would increase costs with renewals and man hours to manage the yearly renewals.

----- 

Within an organization where you work with 3rd parties key rotation is important. 13 months would be a good step in that direction.

----- 

Terrible. Now we have to pull people to do a stupid digicert update more frequently...Pay more money. NOTHING IS GOOD ABOUT THIS!!! STOP PUSHING AROUND THE LITTLE PEOPLE AND STOP PRETENDING YOU CARE!!!

----- 

This would be disruptive as it would require the rollover process to be done yearly. The rollover process is time consuming and having to do it yearly would decrease the amount of time in our maintenance windows to perform other projects.

----- 

None, we automatically renew most certificates. All other certificates are already on yearly renewal/

----- 

Just monetary.

----- 

Additional overhead and man-hours in managing certificates. Reduced efficiency.

----- 

More work for our techs. More things to track. I do not favor this change.

----- 

a lot of extra work

----- 

Increased labor to renew and replace all certificates more frequently. In these days of HTTPS everywhere, it becomes more time consuming and costly.

----- 

Increased admin costs, monitoring and service costs

----- 

increased costs with installation and upgrade, down time due to compatibility concerns.

----- 

It would increase work loads in areas we don't have free cycles existing

----- 

Increased tinme spend on cert management, increased cost to the company.

----- 

Pain with no gain.

----- 

Reducing this requirement to 13 months would double the work for our staff to handle this within a two year period.

----- 

I would double the management effort to renew and deploy renewed certificates.

----- 

Not much I don't believe. Just rekey them accordingly at that time and get them replaced. Have auto renew in place and life should go on as normal.

----- 

My work load related to certificates would practically double if this ballot passes.

----- 

My work load related to certificates would practically double if this ballot passes.

----- 

The impact on our organization would be minimal if provided advanced notice and a proper timeline.

----- 

The expense associated with the certificate renewal process would increase greatly. Other projects that had higher security benefits would have to be postponed.

----- 

more work. I'd look at automation options.

----- 

Create a lot more work for me and for the 400 or so medical industry companies that use our services.

----- 

It would affect B2B transactions with many external clients who have to manually load certs in their systems. Some these we now plan 3 months out because of the time it takes some just to get these changes coordinated internally.

----- 

changing dozens of SSL certificates across hundreds of machines and applications is very tedious

----- 

With Chrome and other browsers tightening security on self-signed certs and pushing companies to use public CAs for even internal web-based tools (firewalls, internal ticketing systems, intranets, etc.) the number of certs we've needed to manage have gone way up and now they want to require shorter periods between replacement. Additionally, I've already been locked out of management tools that didn't support some newer technology and required me to install older, unsupported browsers to gain access, reducing our security posture. While well intentions, this is creating undue burden on small companies that don't have the staff and tools to adequately maintain these certs and this will undoubtedly cause an increase in downtime due to certs not replaced on time and likely an increase in careless cert management practices as IT personnel rush to get certs patched more quickly.

----- 

Additional costs. Incovenience to clients who don't even understand the purpose of SSL certificates.

----- 

We manage about 600.000 client SSL certificates. Many clients ask us for 3 years. 90% of our client SSL are 2 years now.

----- 

Likely, certificates will expire before being re-issued. Simply put, another administration burden to deal with every 13 months.

----- 

Not good

----- 

This creates a tremendous burden for any organization that does not have full time or robust I.T. departments. It's more cost to hire consultants, more cost to purchase additional certificates, and most cost in terms of time and pain. The result will be certs will expire and folks will just be asked to navigate around the browser warning messages - defeating the benefits.

----- 

Once again end users have a significant increase in operating costs at literally no benefit to them whatsoever. I'm not going to shill for Goodyear or Michelin here, but you know, tire companies haven't ever tried to say making car tires last half as long would be good for the consumer.

----- 

None at all.

----- 

None

----- 

We should upgrade all our certificates more often ... not really interresting for us. EV certificates need a long validation process and changing the maximum validity will conduct to loss of time due to this validation. Automation is not available for this kind of certificate

----- 

Time. Likely cost as well, but mostly time to verify a website address which has been valid for 20+ years ...

----- 

More time spent tracking and renewing certs.

----- 

we will remove certificates and go to von solutions

----- 

increased workload to keep certificates

----- 

we have MANY systems which use certificates, all expiring at various times throughout the year as it is, but every other year for each system. If I had to replace certificates on EVERY system EVERY year that would be a full time job. We don't have the staff or bandwidth for that which change management etc added in. Now add in issue resolution when a certificate install goes sideways, that's now more staff involved, additional down time and bad PR to our customers. No thank you!

----- 

Nearly double the workload for nearly zero security improvement.

----- 

Some extra weeks of work to complete.

----- 

It would double our work.

----- 

We would have more motivation for increasing the amount of automation that we do, and in so doing be able to prevent more outages by removing the 'human error' from the equation.

----- 

More time spent managing certificates is not helpful for my organization and will increase costs.

----- 

None

----- 

None

----- 

We would need to increase our automation.

----- 

It is a lot of work to redo our certificates and we are relatively small as an organization so we would probably have to evaluate whether to continue to put SSL on all of our web servers or just ones that we felt had the highest risk.

----- 

Mostly the time required to manually request & update certificates

----- 

No impact; we don't use certificates longer than 397 days in order to improve the security posture of our org.

----- 

Minimum impact as majority of the certificates installed with in my organisation have the validity of not more than 180 days

----- 

We are already short staffed and overworked. This just adds to our headache with not enough security to justify the additional work. Feels like a money grab.

----- 

Severe impact to server to server communications where the application server connects to multiple business partners, in some cases over 100.

----- 

In the future i will need to purchase more often certificates for my services which will raise cost, as it is already high.

----- 

We usually spend a month preparing and installing new certificates every two years. This would cause us to waste an extra month.

----- 

More work, higher costs, more mess and pain, no gain.

----- 

The impact is unknown.

----- 

Costs to bring in consultants to update certificates for specialised apps, and risks involved in missing

----- 

Increased cost

----- 

There would be little to no impact because most of the renewals happen automatically

----- 

more work on our end when replacing the certificates

----- 

Additional costs and administrative headaches for small businesses.

----- 

It creates another item to worry about more often. we have enough to do trying to keep a business running.

----- 

It will literally double the amount of time required to deploy and maintain certificates across our infrastructure and customer base. The previous reduction was similarly ridiculous and unnecessary.

----- 

Many of our smaller clients would be forced into costs that they might not be able to afford in the long term, making it harder to stay compliant with industry security best practices. This can include moving to self-signed certificates, or no certificates at all.

----- 

Confusion. There is no need to reduce any. having different cycles would make it worse. I thought Google was "don't be evil"

----- 

Having to manually renew the certificates more often.

----- 

Frequent changes to certificates for our RADIUS servers results in disruptions and issues for our user community connecting to wired and wireless resources utilizing 802.1X/WPA2-Enterprise. It also increase the number of tickets our support services sees following such a change due to these issues.

----- 

1. The expense of constantly renewing TLS certificates and manpower required to change out on a regular basis.

----- 

We'd simply automate the process. There would be no other effect that I can think of.

----- 

Additional work updating certificates in Amazon AWS and other dedicated servers. We have enough other work to do that this is quite annoying.

----- 

None

----- 

More work to continue replacing SSL certificates for minimal benefit

----- 

My renewals will all take place between September and November of this year, all will be given 27 month lifespans, and so I will not have to address them again until the same relative period in 2021, presuming I'm not forced to retroactively replace them before.

----- 

Nothing would change

----- 

A bit more admin, but also more awareness.

----- 

Little to no impact with current operations

----- 

It's going to make it a whole lot more difficult for customers to update the SSL certs themselves.

----- 

Potential outages, increased workload.

----- 

Have to renew more frequently.

----- 

I guess we'd just have to take it, wouldn't we. No doubt we'll be paying even more.

----- 

More processing to follow

----- 

increase in workload as the devices that we have certificates on do no support automated replacement of certificates, and require the certificates to be in various formats.

----- 

More manual work

----- 

Creates more work.

----- 

we then have to use a lot of manpower to have internal and external certificates replaced.

----- 

I will have to renew certificates every year rather than every 2 years. This will not be a major inconvenience to us.

----- 

Large increase in work load, possibility for services to be missed causing outages.

----- 

Three (3) additional days per year in order to replace certificates in all our systems (including customer systems). Looking at the revenue we loose 3 days of work that cannot always be charged to the customers.

----- 

More work, higher risk of human error

----- 

More work, higher risk of human error / sertificate not renewed..

----- 

It will reduce our security prosture, more manual renewals could translate in more errors/missed renewal deadlines.

----- 

Large as we have to replace them on many systems and this takes time.

----- 

As said a huge incerement in manual tasks and manu hours needed to maintain SSL certifcates

----- 

This will increase the amount of work required from our Team due to the reduced cycle window.

----- 

Increased cost for certificate management and anger.

----- 

This proposal would be a huge benefit to our company! In fact, we would benefit from an even more aggressive renewal time (120 days). Higher frequency renewals creates a better ROI for automation. Such automation prevents errors, reduces customer support costs, and prevents organizations from accidentally not renewing a certificate. OLD: Company installs a cert. 2 years later is expires. Nobody can remember who installed it or how to replace it. NEW: Knowing that a new cert has a short expiration, the company establishes a certificate inventory, documents update/upload procedures, sets up mechanisms to periodically check expiration dates. OLD: Vendors create products with nearly impossible certificate update procedures, or procedures that require downtime because "who cares, the customer won't think about this for years. NEW: Vendors are forced to stop being so lazy or shirking their responsibility to do a good job of security and provide mature certificate management practices "built in" OLD: Idiots set up websites and think they are secure because... you know... SSL! NEW: Idiots that don't need SSL won't use it, reducing the number of badly run SSL websites. OLD: Hosting companies let users upload SSL certs (probably insecurely) and then deal with expensive customer support issues 2 years later. NEW: ISPs and hosting companies will not be able to offer SSL hosting services without providing mature certificate management. After investing in better practices, their customer support expenses will dramatically be reduced, saving everyone money. 

 ----- 

Cost would be significantly increase to renew the certs that expire too soon.

----- 

It would double my work load.

----- 

We would have to extra spend time and money to either manually handle cert renewals at twice the current frequency or to stand up an automated system to do so. This would just be an unnecessary expense and distraction that is driven by the Browser providers.

----- 

Increased management activity with consequent risks of error. Increased cost. NO improvement for security!

----- 

Increased workload in manually replacing certificates on legacy web servers and mail servers.

----- 

Doubles our workload for certificate maintenance.

----- 

It would significantly increase the cost and complexity of having to manage certificates within my systems and applications, including a lot more expiration warning notifications from certificate authorities, etc. I use certificates with a lot of Windows applications that don't provide automated certificate renewal capabilities from public certificate authorities, so these redeployments are manual. Doing this every 2 years is manageable, but every year is excessive.

----- 

A lot of extra work across the enterprise

----- 

COST. Why should we pay more to be revalidated every year? I don't see that certicifcate providers are going to halve the cost of the certificate. More likely, charge the same for half the validity period. There is little to no security benefit since revocation is already possible for compliance issues mid term.

----- 

Medium impact and this would prefer more time to plan implementation

----- 

This change would have a huge impact on the very small team we have to manage our It environment. We have many large projects schedule to happen over the next few years, this change would take resources away from those projects causing delays. Automating certificate management is something we would to implement but it has been given any priority at this stage.

----- 

Increased workload on managing certificate, for no real benefit.

----- 

Additional labor to replace several certificates and validate our identity when we have been in business since the 70’s when that labor could be doing other valuable work. Risk of certificates expiring unexpectedly.

----- 

We currently have three IT staff in total and enough on our plate without having to worry about services failing every year if certificates are not updated.

----- 

I have other corporate duties then only looking after certificates. The reduced validity length would distract me from them. These other duties include the day-to-day operation and also marketing of the business. Any reduction in time allocated to these duties directly affects my business.

----- 

More work, our environment may end up less secured as we will look at ways to do short cuts

----- 

A net improvement, but no operational impact because we already renew more frequently, as should everyone.

----- 

Increased cost and would need to update certificates more pften

----- 

more work for us

----- 

Increased workload

----- 

Increased workload

----- 

It is compulsory for us to have certificates to interact with Australian Government Border Force. This is an added cost in our industry. Reducing validity will add further cost to the business both in purchasing the certificates and managing the downloading and installing for staff.

----- 

It would provide further incentive for teams to automate cert renewal, which they should already be doing. There is a small risk of an unplanned outage, but there’s no excuse for that even today.

----- 

Increased cost and workload.

----- 

Major impact to productivity and time to market of products.

----- 

Once the current certs start expiring, SSL management would turn into a full time position. 

 ----- 

It would force people in to adopting better practices for keeping their domains secured. it also makes people re-evaluate old unused domains more frequently

----- 

It would force people in to adopting better practices for keeping their domains secured. it also makes people re-evaluate old unused domains more frequently

----- 

Significant financial burden on the time needed to update the certificates.

----- 

We have hundreds of certificates and would have to spend more time and resources updating them. While we have some good automation, it just puts a bigger burden on staff for very little gain.

----- 

Increase in operations to renew certificates before the cutoff date, leading to errors.

----- 

It would be minimal as we would switch more services to acme.

----- 

It will double our cost of certificate signing (both through the labour cost to update the certificates, and the cost to buy certificates). The change would also increase the risk of service disruption.

----- 

It will make renewal or re-issuing certificates very tedious as each time it can take up to 10 working days from initiating the process to finishing installation of the new certificates

----- 

It impact our Production systems for need more frequent downtime which affect our company's business.

----- 

We will have to replace almost all the certificates.

----- 

Increased monitoring costs, and likely increased costs for certificates over time.

----- 

Increase complexity

----- 

Increase complexity

----- 

The certificate provided as a service to the customer is not affected since it is a one-year certificate. However, some of the certificates used as service systems have been acquired in multiple years, so the impact is minor. Automation will be required to mitigate the impact, so it will cost money.

----- 

we have approx 30 applications which use SSL Certificates Internally so it doesn't make sense to reduce the max validity period.

----- 

Too many entities to take care of more frequently in an ever scaling down staff environment. Managing certificates itself will now be a bigger botheration.

----- 

There will be more efforts put towards the renewal of certificates

----- 

The price will rise.

----- 

It means more work for me and i don't see what the benefit is? Would it mean compromised certs would be less useful to hackers as a smaller window.

----- 

None at all, other than a happy dance in our office at the positive movement the industry is making.

----- 

Improved security due to increased rotation frequency. More organic opportunities to implement newer features such as dual stack certificates, OCSP must staple etc.

----- 

increase in certificate maintenance costs

----- 

minimal impact. As we use AWS ACM, the need for manual work is zero.

----- 

It would double the work required to manage all the certificates that our company has in use.

----- 

increased administration costs and actual costs

----- 

lightly

----- 

A lot more manual task to replace certificates

----- 

Unnecessary updates.

----- 

Almost no impact, since I have to renew in 2020 anyway, and in this process look into what automation can do for me.

----- 

We would have to renew "n" certificate for "n" services. Work that is additional. With already tight human resources anyway.

----- 

We have barely enough people and time to support changing certs across all platforms every other year, and get done all of the other security required changes necessary to keep our businesses running smoothly and securely. With a two year cycle, we have 3 months before expiration to schedule cert replacements, which barely allows us enough time to notify our partners, vendors, and customers that cert updates are being made (it's not necessarily invisible to them) -- we change half of our certificates one year, and we change the other half the next year. With a change to 13 months, then we're changing thousands of certs every year, which effectively doubles the work our certificate handling people have to do (meaning they have no time to work on anything else). All this does is create Churn and introduces risk to our industry, as it becomes MORE likely to cause a major outage if a cert expires and has not been replaced in time.

----- 

Effectively doubles the workload in replacing and managing our certificate estate

----- 

No security increase. increased inconvenience.

----- 

more effort to update TLS certificates for our services!

----- 

Minimal impact

----- 

More work

----- 

This will dramatically increase our efforts and costs

----- 

short duration for adaptions. most likely higher regular effort

----- 

We would have to automate renewing certificates. But even though we have many domains, I feel it should not be a big problem.

----- 

we don't have sufficient automation in place to handle this and make copious use of cert in our core service offering. I don't see a sufficient security benefit to this move.

----- 

It puts additional work load on loading new certificates and we cannot see how how it increases security.We would rather focus more on our business and avoid unnecessary red tape.

----- 

We would need to renew our certificates more regularly and we would have a cost increase.

----- 

additional expenses

----- 

Increase costs, increased risk, increased downtime.

----- 

- More work, more downtime on SSO SAML login facilities.

----- 

more administrative work.

----- 

As we have multiple vendor systems that require our certificates there would be a significant impact on my time each year as not every system supports automatic renewal of certificates.

----- 

As a small company this is just another drain on time. It all good and well if you have departments of people looking after these things but small companies, with limited resources this is just another drain for little benefit.

----- 

A two year cert is not less secure than a 1 year cert. Having to replace certs more often also increases the risk of mistakes without a clear benefit.

----- 

it would cost a lot of money having to buy certificates twice as often

----- 

Even more work for the already overworked team.

----- 

More frequent update of the certificate, translates to more downtime.

----- 

None.

----- 

It may lead to less security due to not realising/remembering a shorter validity period.

----- 

More time wasted on upgrading systems and customer downtime.

----- 

We have a number of certificates that are applied to intricate applications. This would put a financial burden on us to engage with each software support on a more frequent basis to refresh at the accelerated frequency.

----- 

None

----- 

hassle of updating the certificates more frequently. Possibility of missing an update and causing customers and employees not being able to complete a task until issue is corrected

----- 

inconvenience missed renewals

----- 

Too much trouble to replace that often, and at what security benefit?

----- 

None. It would be more securely to browse the internet. Less release and forget certificates

----- 

I feel like with certificates expiring at different times of the year, it will be a monthly task to go and replace certificates, which is already a boring and mundane task.

----- 

cost and potential outage

----- 

Doubles workload for public facing CA's.

----- 

Initially the impact would be minimal IF effective only for new certificates. However as we are seeing today with the new MacOS beta, legacy certificates are being impacted, which is simply unmanageable and unacceptable.

----- 

It will increase the frequency of operational work required.

----- 

We support a number of customers who use a variety of certificate providers or a variety of platforms, so it would effectively double to time we spend renewing certificates

----- 

It would double the amount of time and labor we now expend on replacing certificates every two years, which alread increased by a third after cert lifetimes were shortened from 3 years.

----- 

We would need to rewrite our product's SSL support. The self-signed certs are a hard-requirement and reinstalling them requires elevated privileges.

----- 

Muita manutenção na infraestrutura pois usamos certificado (*)

----- 

We will experience a modest increase in renewal activity, offset by better customer engagement on security.

----- 

None, we use another service to manage our SSL certificates.

----- 

The impact would be low-to-medium. The impact would be coordination with our engineering teams to renew/install the certificates more frequently. We currently do not utilize any automation; we are beginning to analyze the best options for the price. Other security initiatives are more important than automating certificate renewals.

----- 

This is just extra work and accomplishes nothing. It means wasted time. There are already OCSP and CRL, so what's the point of this? It's just Google boiling a frog.

----- 

More pain on a yearly basis. And the pain would be multiplied if the renewal term fell in the middle of our "Tax Season" because of the disruption to highly utilized systems during our busiest time.

----- 

it's just another thing to manage for a small, web-based business and something that could potentially be disruptive. Especially when considering that our service is connected to other downstream services that require TLS that would be broken if either our or our downstream provide let a cert lapse.

----- 

We do not have the expertise or sophistication to implement automated certificate renewal routines so this change will increase the risk of certificate expiry which will impact our various web based communication systems as well as increased workload and support costs to have these certificates renewed and installed.

----- 

In simple terms It would double the work effort and cost.. And the question from our business functions will be what do we get for that cost, eg;Does it halve the likelihood of exposure?

----- 

It would double the work load to update the various devices that have certificates with no value added. If something has to be touched twice as often, there is twice the opportunity for something to go wrong. There is no reason to impose this additional workload and chance for error.

----- 

Without any automation in place organization will have a work load and cost that may be not worth the effort.

----- 

We will look for alternatives, including the possibility of not using certificates at all for less critical purposes.

----- 

More man power to maintain the certificates. More money for renewing the certificates.

----- 

The impact is an administrative overhead all the time just updating the certificates. We don't have the time, inclination or manpower to reduce this time frame down to 13 months. There's no logical or valid reason for the change.

----- 

More work every year to just change them. An estimate would be 5 full working days.

----- 

None

----- 

cost, time,

----- 

Customers need to update more often

----- 

None

----- 

More workload for updating certificates

----- 

We would have to do twice as much work (in the long run) and we would be down, due to expired certificates, twice as often.

----- 

No impact whatsoever

----- 

Creates more work for an already understaffed team

----- 

we will adopt as there is no other option. But on other hand, decision like that improves security in minimum, doubles troubles if not more

----- 

It will impose an unnecessary burden of monitoring and updating our SSL certs. Additional, manpower will have to be redirected to monitor and update the certs. This is unreasonable.

----- 

More of my time would be dedicated to replacing and renewing certificates.

----- 

It used to be easy when we could buy 3 year certificates and just set and forget it. the infrequent need to carve out a time when it was convenient to renew the certificates worked perfectly with our staff of one and a half IT people. Now we're working toward using third party hosting for our web servers just so we don't have to go through pain of managing the certificate renewals ourselves.

----- 

It will create more work obviously, for the technicians who have to rekey and install new certificates. It will also create more opportunities for downtime if we miss an expiration.

----- 

This would cause an immense amount of unnecessary administrative overhead.

----- 

This reduction in validity will double our work time to replace all of our applications running at our clients facilities due to shorter delays. This will be really uncomfortable.

----- 

No impact

----- 

Minimal impact.

----- 

Positive impact because I would be protected from revoked certificates still out there.

----- 

Force the automation of certificate management, which ultimately will reduce overhead and increase the security

----- 

Nothing significant

----- 

Just more workload with no justifiable benefits. Lesser the Bureaucracy, better it is.

----- 

Twice as much time spent on a process that is often not very straight forward.

----- 

More administration work required more often

----- 

Too much hassle to manage and monitor all your servers that require SSL/TLS certificates to be replaced every year

----- 

None. Just better

----- 

We will be moving to free and automated certificates wherever we can. It's going to be hard to mange everything by hand. We are concerned about the security element of automation.

----- 

Higher cost in terms of renewals and staff time

----- 

As we manually renew all of our certificates, significantly more work would be placed on our team, potentially leading to missed renewals under periods of high workloads.

----- 

Extra maintenance required

----- 

Positive security impact, as CRLs we have to deal with will be smaller

----- 

we would switch to automation via ACME where possible

----- 

I will need to fund additional man hours for what appears to be little to no significant reduction in threat to the internet ecosystem. If the proposal were for the greater good and the safety of consumers then I would gladly be in favor of some change.

----- 

increased maintenance

----- 

We would adopt more automated systems to manage certs. Even with 2 year certs we have some systems occasionally expire, as they are reliant on manual updates. We need more automation, and once complete, reissuing monthly would be just as easy.

----- 

We are an educational organization in a high-poverty city. We already have a shoe-string budget that we have to do more with every school year and while the savings we realize by purchasing our certs every 2 years is a small fraction of the budget, every dollar counts in our budget. I'm not sure what exactly we would do if this were to happen, but I could see us revisiting the services we make available to our community through the web and pulling things back behind our firewall, making them accessible only from our network. I'm the sole sysadmin in our organization and since we don't have wildcard SSL in place, I could foresee myself spending a great deal more time on certificate management on an annual basis over what I already spend with 2 year renewal management.

----- 

Huge attention requirements and quality of service might go down.

----- 

Added costs, potential loss of clients, SSL sites expiring too soon.

----- 

I would have to look into automated system otherwise it would be over 100 additional hours a year.

----- 

Minimal

----- 

No for us.

----- 

Readiness of the clients, reissuance of the new certificates will be problematic and a lot of hassle if we have to do it every 12 months..

----- 

Nothing

----- 

No impact.

----- 

No impact

----- 

None, we renew automatically

----- 

Automate certificate renewal for all sites

----- 

i need to hire more people just to maintain it

----- 

More time managing the certificate's renewals and expirations, time is money for MSPs

----- 

After a review by our security and operations teams, we see no appreciable impact.

----- 

Will cause downtime for government users during transition.

----- 

More things to worry about sooner. Just a pain in the ass.

----- 

I should not have to pay ~$120 for a SSL that covers my domain/subdomains every year. An SSL certificate should be an easy and simple process that keeps my customers safe, not something that becomes tedious and costly per year.

----- 

Having typically used EV SSL Certificates, the apparent costs to revalidate business credentials involved in setting up and/or if automated renewal is an option, the cost to verify automated set up has appropriately executed.

----- 

It would cost us twice as much labour to manage our certificates.

----- 

This would add significant extra cost, as we currently need to engage external contractors to perform the certificate replacement on some of our servers (about 50% of them).

----- 

More overhead in certificate management. 

 ----- 

We need to hire more staff as more ssl's would need to be replaced more often

----- 

We would have to schedule and implement certificates more frequently, causing additional work and downtimes.

----- 

It would increase cost and workload.

----- 

The administrative efforts would be increased after the implementation of this change (reducing the max. validity limit) but we would not compromise on the security of information assets.

----- 

We may have expired certificates

----- 

Greater managment cost, both monetary and man hours.

----- 

Requiring to change all certificates every one year will introduce additional workload and in our opinion it will not decrease the information security risks of the organization (but will increase it instead). As compromised certificates (i.e. stolen private key) can be revoked, the organization is protected against unauthorized use of certificates. Then, CAs and web browser vendors should focus more on how Certificate Revocation Lists are updated and enforced.

----- 

More work

----- 

It would increase the amount of maintenace to change the certificates, and I don't trust the automated tools by any company. And I don't trust that the broswer developers are seriously concerned with security.

----- 

We would have to replace all our certificates every year. This requires coordination between several application teams, developers and operations. The additional time spent on this is lost for other tasks that actually generate added value.

----- 

We have a 2 year cycle for our services that we have to do manually. Changing this will make the change need to happen every single year so we'd have to put double effort.

----- 

It will require more administration until we get automation in Place, it will cost more and take time, many services are not ready for this yet, it will be some hassle until all vendors support automation.

----- 

Opération délicate et complexe

----- 

We have a lot of server with different issue date. 13 month is too short.!!! We have other things to do.!!

----- 

Extra costs (27/12 times the cost of current certificates) * extra manpower needed to get the certs & install them (also costs).

----- 

With the number of domains and systems impacted, reducing even further would create an undue burden in additional labor overhead and certificate costs

----- 

There would be no impact due to automation tools in place

----- 

Our IT department is small and the time to devote to updating certificates would actually take away from other work we need to do to ensure uptime. Our network is otherwise protected with a patching schedule, firewalls, website filtering, and antivirus. The increased costs and time in labor to update the certificates would be a major inconvenience and increase the reputation of IT being a money pit.

----- 

Additional work/cost for no business benefit

----- 

Spending time we do not have to renew certificates on our servers would cause us to put off other, more important work.

----- 

I believe this would substantially increase our certificate management workload and costs (as we'd have to renew more frequently) without any measurable increase in security.

----- 

Places burden on smaller IT departments

----- 

Greater costs to maintain shorter expiration times.

----- 

No impact, we already issue only certs with validity <1 year.

----- 

More work on our end to ensure that users who need access to sites that require these certificates are up to date and fully functional.

----- 

Time and resources needed by a smaller organization to manage multiple certificates both through the renewal and verification process and the installation/rotation of certs.

----- 

It creates more work for our staff and will lead to downtime as we will probably miss doing some renewals in time.

----- 

It means we will have to spend more time and resources manually replacing certs. What used to be a process that was done every 22 months, we'll have to begin doing every 10 months.

----- 

Costs to taxpayers will increase without any well-articulated benefit.

----- 

will have to renew every year instead of every two years, but it's not a big deal and can be automated; it also reduces our risk exposure if a certificate were ever to be compromised

----- 

We would have to spend more time each year replacing the certs. This would probably involve hiring a security specialist that would manage our certs and make sure it is done each year. Currently it is a shared responsibility that we manage as a team, but something like this would require more time to make sure it is completed.

----- 

It will double the amount of human time spent maintaining SSL certificates. The actual amount of time that represents for us is hard for me to quantify unfortunately as I don't have visibility into the total number of certs our organization maintains.

----- 

Extra administrative hassle/headache. Some certs would get missed.

----- 

It is already onerous to replace the certificates (a thousand, give or take).

----- 

An extra 40-80 hours of workload per year.

----- 

None at all

----- 

As a small organization we have a hard enough time tracking certificate renewals every 2.2 years. Having to replace them annually would add to our administrative overhead and lead to more workload on our admins.

----- 

Significantly extra work as all certificates are manually renewed and replaced. Increased chances of certificates expiring and causing outages.

----- 

We have 30 pcs SSL certificates being used. The reduce of maximum validity period will increase our resource on manage these certificates. Moreover, we're not sure the improvement on security if reduce of maximum validity period.

----- 

It would double the time we spend maintaining our digital certificates. Some systems are unable to support newer certificates. It would halve the time we have to migrate off these systems. For example, SHA256 was not supported in earlier versions of Java. When SHA1 certificates were no longer able to be purchased, we e=were forced to drop other development work to migrate our systems.

----- 

Shorter validity means extra cost in renewing certificates and re-signing all my applications - for no added security as far as I can see.

----- 

For many of our customers, getting through the approval process for renewing a cert can be quite time-consuming. Often taking 4-6 weeks. The renewals would no longer be able to be "staggered" with 2 year certs expiring on alternate years, so the demand would be constant. Having to do this every year, for hundreds of certs is going to effectively double the workload of the employee who renews them. If this passed, a dedicated employee would be the only way to manage the increased workload. And being a small business, having to dedicate significant time and resources for this is simply something we cannot afford to do.

----- 

We have certificates on roughly 35 different servers/applications. Each takes time to replace the certificate... time we could spend doing other things. We are a small organization and this is time we simply do not have. I would actually rather we could go back to 5 year certificates.

----- 

A lot more wasted days as we are already stretched thin this only adds to the workload with no benefit.

----- 

more shit has to wait to get done while i go through worthless renewal process

----- 

In my line of business it is not always possible to replace certificates on a whim and not everything can be automated. In order to attempt to automate future certificate changes we would need to purchase or develop new in-house tools for this purpose because existing tools would not work for our use case.

----- 

More manual work to replace certs more often.

----- 

Without sufficient automation, shortening the maximum validity introduces a significant amount of recurring manual work to keep multiple secure certificates up to date.

----- 

We are an MSP and manage a lot of clients, the 3 yr to 2 yr drop has already significantly increased our admin time with all the renewals for certs that we manage, if it goes down to 1 year, we will have to employ a full time body just to manage cert renewals.

----- 

significant reduction in sales and the impact of jobs being eliminated

----- 

This would increase the burden on our clients to renew, and our company to have to install/update/reissue certs

----- 

None, we have all processes in place.

----- 

Increased overhead on renewing multiple clients yearly Possible downtime for missed/lapsed certificates

----- 

I'm my opinion moderately significant

----- 

An increase in administrative overhead

----- 

Nothing much. We have seen this coming long ago and acted accordingly.

----- 

This change would nearly double the workload that we currently spend on certificates.

----- 

Lots of workload with no advantages from this ballot. The security question is just a speculation.

----- 

increased maintenance tasks to maintain certificates.

----- 

It will nearly double the cost for certificate based security. That is unless CA’s will reduce the issuing cost accordingly for the shorter term.

----- 

Would generate a lot of wasted time and effort for no conceivable reason.

----- 

Generally, IT projects have a lifecycle or maintenance period of 2 to 3 years. Majority of turnkey hardware and software have options of initial 1 to 5 years lifecycle. By limiting SSL/TLS lifecycle to 13 months will cause unnecessary cost burdens on procurement & re-installation process for certain projects.

----- 

Less customers will purchase them as the implementation cost would double (twice every two years instead of once), they may switch to our automated lets Encrypt solution or not bother.

----- 

Higher costs on certificates management (validation, installation, others). Also, The more demand on cheaper poorly-validated certification authorities.

----- 

Lost production time for the hundreds of hours it would take each year to replace certificates annually instead of biennial

----- 

Dozens of updates per year.

----- 

Will cause a significant increase in time spent renewing and managing certificate expires for all our customer base which will incur increased costs to all of them.

----- 

The extended validation is often painful and takes considerate amount of time. With 13 months validity, we will have to help our clients go through this process more often. It will effectively double our work since we will have to help renew certificates twice as often.

----- 

Difficulties in Certificate Management, Increasing Costs for Certificate Management

----- 

INCREASED COST AND MAINTENANCE

----- 

This would cause a lot of work for us, because for in devices, the certificates cannot be replaced automatically easily. We don't see the additional security benefit in this.

----- 

It simply double the amount of time to spend for survey, and renew all our public certificates

----- 

We will have an additional cost of replacing certificates on servers which cannot be automatized. In Czech - and central Europe in general - we are lacking an automatization of TLS certificates deployment.

----- 

The increased administrative burden and substantially increased costs will likely lead to a reduction in the use of SSL and therefore negatively impact security and privacy not to mention profitability.

----- 

making web building experience much more difficult and costly reduce interest in supporting other various services and make updates became a hazard once every 2 years to have the feeling of always are needing to catch up

----- 

A lot of extra work, without additional security benefit.

----- 

This would dramatically increase the technical support effort (double, in fact) for our company, as well as all the customers we support on a for their public cert infrastructure

----- 

It will add tremendous work load.

----- 

The customers will be required to keep track of renewals all year long when there are more than 1 certificate. This will definitely bring more load on the customer IT teams, partners and the CAs.

----- 

A lot of more work on maintaining certificates

----- 

Process Impact: More Non Compliance Financial Impact: Regular Penalties from Regulators in case any certificate renewals are missed. Small companies will opt for Free SSLs Security Impact: Gives Preparators one more loop hole to breach the organisation by faking the renewals or expiry of the certificates

----- 

increasing IT certificate support workload with 50-75%

----- 

No Impact. We generally only purchase certificates a year at a time anyway.

----- 

No hard effect, we just have to renew certificates annually instead of bi-annually or per certificate lifetimes. Added work burden ofcourse, but the automation of operations makes it a non-issue.

----- 

Our IT costs with regards to certificates management doubles. Google and Apple do not care about 99% of businesses that are SMB. We do not have hundreds of software developers on staff to setup the system to manage certificates via APIs. Further many systems are not possible to manage certificates via APIs. By forcing this, it is going to push people away from external CA verifiable certificates and towards self-signed certificates with a 30 year lifetime.

----- 

Right now, hugh impact and lots of extra costs just to change every certificate for all our customers every year will make it so much harder to work and sell certificates.

----- 

A small increase on support

----- 

It would be a significant hardship on me and my dev teams to reduce the limit to 1 year. One thing is doubling the time spent. Another is doubling prod change requests. 

 ----- 

It will obviously take twice the time to manage certificates. It will also make our wildcard certificate impractical to use.

----- 

It would put more work on keeping Certifactes Valid.

----- 

It would double the existing work that we do for certificates. Half our customers don't even know when they bought the certs that have now, and this will just add to the scramble to fix certs.

----- 

The extra workload to maintain renews so often.

----- 

The costumers will not be satisfied

----- 

The impact is exclusively negative.

----- 

I don't even want to think about the impact this will have. We have trouble keeping up with the 2 year schedule. Cmon, stop this nonsense.

----- 

a lot more work/cost to have to update SSL/TLS every year as opposed to every year, for a small business, this is a big impact.

----- 

Increaed sales

----- 

As such there is no impact as long as the certificates are deployed on application/web servers and this effect occurs worldwide and if all the CAs have to follow it.

----- 

Multiple clients will have multiple problems related to certificate expiration. Often causing site wide confusion and work disruption more often than already does occur.

----- 

As a reseller, we will have a lot of angry customers and will possibly lose some of them.

----- 

Costs would increase greatly, not just the certificates' cost, but more importantly the work involved in implementing them. We support many disparate systems at our customers and the work involved in keeping them up-to-date on an annual basis far outweighs any perceived benefit. While this could be looked on as an opportunity to charge more for our services, it completely ignores the fact that our customers should not have to pay for something with little, if any benefit. No doubt there is an undisclosed motive behind this, where Google will attempt to harvest more confidential data at some point.

----- 

Our organisation only supplies our customers with 1 Year SSL/TLS certificates currently. Therefore we would no longer have to explain our reasoning for using this over 2 year SSL/TLS certificates to our clients.

----- 

As per renewal of an SSL Certificate you know is time consuming till the authentication steps will be completed for the client as also for the res-seller. Think to double that time as you will need to renew each year. Also the cost for 2 years renewal or new Certificate was lowest than one year

----- 

More work to renew the certificates more often without any benefit in term of security. The reasons mentioned to justify the reductions has no sense for our company

----- 

Required effort and costs will rise.

 

 

 

 

 

 

 

 

 

 

5. Under the proposed ballot, an organization and its domains would have to be

revalidated every year instead of every two years.  Do you believe the added security

from revalidating this information every year is worth the cost of revalidating this information every year?

 

Sounds like a blatant cash grab!

----- 

This effectively doubles our administrative overhead involved in revalidating all the domains we have (over 200 at the moment). Most of our domains don't have email associated with them and can't be revalidated via email. We have to fall back to using DNS TXT record validation which is currently a manual process. The manual re-authentication process can potentially delay issuance of certificates that are coming up for renewal and cause these certs to expire, which causes even more security issues than what this is intended to solve.

----- 

More administrative overhead for larger organizations means we will go our our way and drop known CA's.

----- 

Breaches don't come from breaking certificates, it comes from mainly from poor SQL coding, XSS and poor WAF installations.

----- 

this ballot and the change of the revalidation period does not increase security as long as Malware like Retefe is able to install fake Root certificates in a users truststore. This is a farce whats going on in the CA/Browser forum

----- 

In my opinion it's sounds like madness and just sounds like security people like to have more work!

----- 

As I know, revalidation is free of charge for the customers. More often revalidation will cost only additional overhead but not the money

----- 

Cyber-Agility progress will be stunted if we're constantly having to renew certs. There needs to be breathing space to plan for many implementations.

----- 

With the improvements made by Digicert to the DCV method, this should not be an issue.

----- 

But other improvements could be made to these processes

----- 

This change seems to provide more than lowering maximum validity to 13 months.

----- 

There are much better things to do with my time that to keep gathering the information required for domain and organization validating.

----- 

I think business revalidation is the place to start.

----- 

This is an unnecessary extended cost when domains are normally purchased for 5 or more years and do not change ownership without significant effort by both parties involved with the change of ownership.

----- 

[Redacted] NO

----- 

Either the certificate is secure or it isn't, I see this in the same scenario as password expiration policies which isn't really recommended any more.

----- 

No, this is a stupid idea.

----- 

No, this is a stupid idea.

----- 

There are much bigger security issues that need to be tackled. This really doesn't make much sense.

----- 

What does this really accomplish?

----- 

Depending on where the certificate expiration lands this could also happen at really busy time. With two year certificates there is a lot of time near the end of the certificate life to plan out when you want your next certificate to expire. 13 month certificates, not so much unless you expect businesses to buy two 13 month certificates in the same year.

----- 

The added security is not worth the hassle involved in updating all the places our certificates are used

----- 

I see no valid security added in doing this.

----- 

Organization should have choice. Under the current system, if an organization wants a period shorter than 825 days they can select that or renew certificates early. This ballot initiative removes choice and flexibility, forcing one way of doing things, which is counter to the ideas of the internet and technology.

----- 

Strongly disagree that the reduction improves security for our systems.

----- 

There are so many other holes in the Internet's security regime, this would not be any kind of panacea.

----- 

I wear many hats here and this will cause an increased workload. I will constantly having to be monitoring my certificates and getting them renewed. I'm afraid with this limited timeframe I may miss certs which would cause a worse security posture than current.

----- 

We need empirical research.

----- 

Don't care.

----- 

The likelihood is that users will be less likely to want to use certificates than they already are.

----- 

It can be automated to near-zero effort, it's a positive change.

----- 

This reads like so much bad legislation: Lets change this in the name of "security" with no evidence or expectation it will hinder bad actors, but will certainly impact the good guys. I have seen NO EVIDENCE that this is of any benefit to legal consumers. Is this a money making scam?

----- 

I don't believe that this adds any security at all.

----- 

How about dealing with the root problem of how a domain is stolen in the 1st place instead of half way measures that shift the burden to organizations that properly maintain their domains & certificates?

----- 

We own a .ORG domain, which is even more difficult to validate than the average domain since our information is not available in public records. We have to perform additional steps just to validate our domain.

----- 

I don't actually think this would improve security. I think it makes people feel better about it, is all.

----- 

Domains change ownership more frequently that certificates are issued.

----- 

I can honestly think of no cases where an improperly validated certificate stayed online for over a year, most of these types of sites last months at most.

----- 

Google itself would be better utilizing it's resources to better identity/verify it's customers (email accounts) identities.

----- 

Not at the moment with the level of automation in the vast majority of I.T organisations, Google and Apple will be fine with this as they have the engineering resources to cope, smaller organisations not so much.

----- 

It is not worth it for any of my small business clients.

----- 

I see no benefit in such short timelines, only added burdens on small organizations.

----- 

That's just not logical and practical anymore, the responsibility should lay on the certificate authorities and they have to revoke misused cerificates, the frequency of revalidating doesn't help at all. Cheater would use then such a certificate just for 1 year instead of 2 years, so hell how should this improve the trust to issued certificates?

----- 

Will this help cut down on phishing scams?

----- 

Link revalidation to the organization's age so long established businesses revalidate less often.

----- 

Process to obtain EV certificates need to be improved.

----- 

See above

----- 

Absolutely not.

----- 

Companies do not change, they just go away...

----- 

I see absolutely no benefit.

----- 

Two years is a reasonable period to manage security certificates. We try to have the renewal of our services as extended as possible, we contract domain names for 20 years to minimize managemente effort, and we were contracting security certificates for 3 years for the same reason.

----- 

I believe costs for the SSL's should go down by 1/2. If you are getting 1/2 the value you use to get, you should pay 1/2 the price. This keeps the balance and fair.

----- 

Sufficient security measure are already built into the certificate and certification process to stay ahead of malicious entities.

----- 

Sufficient security measure are already built into the certificate and certification process to stay ahead of malicious entities.

----- 

The cost is not only measurable by the dollars spent on revalidating, there is also a time cost.

----- 

I am not sure because I don't know about this process. I will say I would rather the expense of the certificates to increase instead of me having to replace them every year. If we can re-validate WITHOUT renew the certificates then I am in favor of that.

----- 

scammers will adjust. the fact that scammers can get domains and certs illustrate that the validation process is weak regardless of the term of the validation.

----- 

While well intentioned, these aggressive security changes being proposed/made may work to improve security at a reasonable cost and workload for LARGE organizations like Microsoft and Apple, but to much smaller organizations, these changes just introduce a significantly increased burden and expense while marginally improving security.

----- 

I would rather assume the risk of having a certificate with a longer validity period than not. Do not understand the security risk that is implied with long validity periods and believe it is tied more to an organizations risk profile. A blanket rule like this makes no sense.

----- 

Security certificate sales are pretty close to extortion already, no need to make things worse.

----- 

We have owned these domains for 20+ years. Why suddenly do we need to validate every year.

----- 

Revalidation could occur as often as the CA would like for certificates whether they be 2 3 or 4 years. There's an existing revocation process, and browsers check CRL today. Why is that not sufficient for validation/revalidation purposes?

----- 

There is no benefit to validating every year.

----- 

Revalidation of our EV org information is not very onerous for us (we had to do it once every few months during the transition from Symantec to Digicert for some reason and it wasn't a huge bother....)

----- 

I think smaller organizations would be less likely to use certificates on all their servers and only encrypt those that were required. I would rather have all web servers encrypted, but having to do it more often would make that more difficult.

----- 

This feels like a way to get more money out of us.,

----- 

Thank you for giving me the opportunity to speak my mind about this matter.

----- 

I see no gain from it. Why would it be more secure? What changes to a company would render the certificate invalid and why does reducint it to 13 months make a difference? Everything that can happen in 2 years can also happen in 1 year.

----- 

Re-validating should be cheap and we hope that reducing the lifetime of the certificate can help bring innovation to that area

----- 

absolutely not

----- 

I think it is up to the proponents to explain exactly how this will increase security.

----- 

If the validation process is sufficient, there is no need to re-validate every year, let alone every two.

----- 

For things like web services, I feel this is acceptable. But since my primary concern is networking, this is not acceptable to me. We really need a better way to distinguish which services the certificate is being used for and allow for longer period for services such as network authentication.

----- 

I trust myself, but even companies change quickly these days, and I may feel better about working online if the certificates were validated more often. However, the average web user does not pay attention to the issue date of a site's certificate. What is more important is what the browser tells the user about the site's security. So if the browsers decide not to trust a certificate more than 1 year old and start giving users warning messages, we will have to comply with the browser policy and renew every year.

----- 

This would be an enormous pain in the ass at my organization.

----- 

If more security is needed, make the certificates more secure.

----- 

Not at all. There is no "aging" of the key, so the connections/services/whatever don't get less secure over time - not in two years and not in five years. If somone is able to break the key, I am sure he can do it within a month. If not, he can't do it anyways. So one or two years does not matter at all.

----- 

There is no need. i see no issues with two years.

----- 

it is an unjustified demonstration of power from the browser and search engine manufacturers side, which adds considerably to daily maintenance tasks for IT technicians such as myself. The security gain does not justify such a high frequency. This would require a new technology involving automated and secure self renewal of certificate.

----- 

It will just add cost on our side and add zero percent in added security.

----- 

Validating every 2 years is sufficient. Please let us run ours businesses and not have to chase Google around.

----- 

It isn't obvious to me what problem this is trying to solve, especially when this information typically never changes. What real-world incidents led to this proposal? Does this proposal actually address what caused those incidents, or materially reduce the chance that they would happen again?

----- 

There is no benefit.

----- 

Revalidating does not necessarily require the reissue of a certificate. Furthermore, the security of a site can not fundamentally change just because a new certificate is issued every 13 months or 27 months.

----- 

It's not difficult

----- 

letsencrypt

----- 

letsencrypt

----- 

Again, I am not aware of a big enough concern for a year validation period.

----- 

It is annoying for getting more frequent revalidation.

----- 

I think that it is better to perform it frequently in order to obtain company authentication and domain usage rights confirmation accurately. However, if the frequency is less than one year (for example, every month), it will be invalid if the confirmed schedule is absent due to a long-term vacation. I think that the validity period of a certificate and verification are different in the first place, so I think it would be better to shorten the authentication period.

----- 

it just adds administrative work to do the re validation every year.

----- 

The benefit of this change is not clear to me.

----- 

Unless AWS changes their ways of doing certificate renewal, i dont see no problem with this change.

----- 

validating an organisation is significantly less onerous than changing certificates

----- 

IF automatic renewal works, it would SAVE time.

----- 

This proposal does NOT increase security, because the CAs doing the investigations and validations would have to double their efforts. With a two year cycle, they can spend enough time to look at Half of their customers thoroughly, and then the next year they can thoroughly look at the other half of their customers. By doing revalidations every year, that would mean that they have to spend half the amount of time currently to validate each customer -- they're not going to do as good a job as if they have twice as much time to cover the customers. Even if they were to double the people doing the validations -- well, now, half of those people are new and don't know what they're doing, so again, you make the CAs do a worse job twice as fast, and you think that Increases security? I doubt it.

----- 

Again just more overhead, most malicious domains are registered and used within the first 24 hours, what does it achieve validating genuine ones more?

----- 

No security increase. increased inconvenience.

----- 

validation process is time consuming form both sides, and for companies there is no such high frequency in change

----- 

I don't know what revalidation means in this context. If it can be automated I'm in favor.

----- 

These changes have no impact on bad actors who are engaged in illegal activity or impersonating legitimate companies.

----- 

Three years was nice, but agree in the world of IT security is too long, I believe every two years is an acceptable compromise

----- 

Even one year us to long to significantly reduce planned malicious use. Too little to be gained by the reduction to one year.

----- 

Less exploited certificates, though the lifespan is still to high. 

 ----- 

When most browsers, load balancers, web servers now supporting Perfect forward secrecy, this is little benefit of compromised certificates.

----- 

Seems to be just another power grab by the big players at Google. The only benefit (for them) seems to be adding massive cost to every smaller player in the market. Costs easily absorbed by a mega-corporation, but significant enough that they could tank an upstart competitor. No wonder they're pushing this so hard. It's a shame they hold such unilateral power.

----- 

Ryan Sleevi does not represent the industry focused on supplying authenticated certificates to secure the Internet.

----- 

I agree that it will have a negative administrative impact, and I believe that there should be adequate runway to make a smooth transition.

----- 

We have ran into issues with another CA where they could not validate all of our internet domains before the expiration because we were waiting on legal documentation to prove we owned some of the domains. Tightening the validation process to every year will either cause a lot of issues or will become a "rubber stamp" that circumvents the reason to change the process to one year. In addition, this may force some good CAs out of the business if they cannot keep up with demand; which in turn causes less competition for CAs and ultimately is bad for the consumer.

----- 

Where do you draw the line? The next proposal may well be to reduce the renewal period down to 3 months which would be a massive strain on companies who do not have the capabilities and budget resource available to implement enterprise grade auto renewal & replacement.

----- 

I marvel that you ask your customers the last question. You should be telling us what the quantifiable (evidential) benefit to risk profile (likelihood and impact) will be of the proposed change.

----- 

This is a solution in desperate need of a problem.

----- 

This is imaginary added security. Please differentiate between EV certificates and standard certificates: the user should be educated to understand the difference.

----- 

Validation of organization can be good, but dropping the validity period instead of revoking cert in case of failing validation causes pain. Of course, if CRL's are not obeyed/updated, the only possibility is to drop the validity period.

----- 

if a certificate is secure, then the length of time is of less importance than the ability to rely on it's validity. so, why is less time more secure than more time? this is just an exercise in generating additional revenue.

----- 

This seems to me like an effort to force companies to rotate their security keys and less like an effort to increase security by forcing re-validation.

----- 

If customers want 13 month certificates, they should be able to buy 13 month certificates. Indeed, the governing bodies could say that 13 month certificates are "best practice". Indeed, discounts could be given for 13 month certificates. But, if a customer wants a 27 month certificate, they should be allowed to buy one, perhaps at a premium. Indeed, if a customer wants a 60 month certificate, they should be allowed to buy one, perhaps at a premium.

----- 

automate it and it's fine

----- 

increased work and expense does not equal increased security.

----- 

so named validation - employee of CA is placing a phone call from abroad to publicly available phone numbers like 0850xxxyyy, 0800aaabbb. And he / she is not able to understand, that local numbers (free of charge / shared charge) are not available from abroad. They do not speak local language, so after reaching our call center, they barely able to understood his / her self what they would like to. Terrible.

----- 

We believe the actual delays are sufficiently balanced and short enough.

----- 

It’s for free

----- 

Certificates should never have been valid for more than one year. The cadence of most business processes is one year or less and everything should be automated or performed at least annual to ensure consistency

----- 

2 years is reasonable.

----- 

It is obvious

----- 

Too often in technology, we are either directly addressing symptoms of an issue or indirectly addressing a root cause. This only leads to the issue becoming a game of wack-a-mole hindering the evolution of our technology solutions. It is very sad to see that the tech giants resorting to indirectly addressing the root cause of the issue (lack of enforcement on revocation). Even proper education in the industry of the dangers of ignoring compromised certificates would be far more effective.

----- 

Domains used in attacks or for malicious purposes are not old domains.. They are new domains registered with little to know verification and blindly shoved a certificate from letsencrypt because they verified ownership of a domain. It's ridiculous and if anything the verification required to purchase a domain should be increased.

----- 

Not worth at all.

----- 

No idea how it helps on security.

----- 

We took revalidation for many process, one more step will not impact ours operation.

----- 

validation need time. we have some ev and ov ssl, dammit. we also have code signed and email ssl

----- 

Malicious websites that use SSLs don't live for a year typically, so doing this for that reason is not justifiable.

----- 

As mentioned previously, the updated cryptography methods is a nice thing to reassure customers using credit cards or anything private, however paying $100+ a year to get a small security change in my SSL certificate will drain small businesses wallets.

----- 

I don't believe that this shortening of the certificate lifetimes would have significant impact on the security of most sites. After all, the most common type of data breach is due to phishing which will be unaffected. Second biggest is identity theft through social media, which will also remain unchanged.

----- 

No, not at all. They should be allowing us as an organization to choose what we want time wise.

----- 

How often will a company pass validation, then fail after a year or two? Again, extra work for little benefit.

----- 

It doesn't exactly take hours to revalidate the information

----- 

There are many, many ways domains can be compromised. Effective protections must be multilayered. This only increases labor and costs to IT departments.

----- 

The cost of the cert pales to the cost of paying staff to renew them.

----- 

The certificates are only as good as the process to revoke them. Time and effort should be spent to make the certificate revocation process more robust and faster to really impact security.

----- 

What cost?

----- 

N/A

----- 

Our company has been around for decades. We have been at the same site since 1990. Most of the staff I work with have been here for over 20 years. Why do we need to be re-validated every two years? The greater frequency is bound to mean that the checker will not be as rigorous, if only because people will become complacent. If every check you do comes back OK, it is hard to be vigilant.

----- 

This seems to be more a case of money-waste than security-focus

----- 

As an organization that undergoes PCI DSS and HIPAA audits annually, the "added security" of renewing every year comes across more like busywork masquerading as security than actually implementing security best practices.

----- 

This change will do nothing to stop bad actors from anonymously purchasing new certificates. They will just have to do it more often.

----- 

Much can change is a business in 2 years.

----- 

For enterprise clients, NO For smaller inter country clients, perhaps

----- 

It is clear that DigiCert wants me to respond negatively to this. But the facts are that fraud is still on the rise and of course 16 months old validation is worthless.

----- 

How often have certificates actually been stolen. I'm sure it happens, but in the past 20+ years we've never, ever, had an issue like that. Even when we had 3 year lifespans.

----- 

Instead the CA could request the same type of reminder update as is done with domain registration information without requiring a new cert be issued unless information has changed - in which case the proper response is revocation, not a new issue. For virtually all of our sites, domains, customers, certificate information remains 100% static and never changes year to year.

----- 

Don't understand the security issue involved. If a site with an SSL can be hacked in 24 months by some sort of coordinated attack, then simply recommend that high security sensitive sites renew their certificates every x months. Don't force/required everyone to do it. Most sites do NOT have anything more sensitive than a list of contacts or subscribers and are not a likely target for hackers. Poor site passwords and/or use of default usernames is a bigger security issue.

----- 

Not all SSL/TLS deployments are meant for public use. Some are for internal use only by taking advantage of built-in CAs in BOYD web browsers.

----- 

What is so special about 13 months. Is there some special domain period that last 13 months? Clearly this is a downhill slope to the magic 3 months, either go with 3 months or don't bother.

----- 

We got almost none historic cases where domain has been hijacked and certificate tampered.

----- 

Out of all the security issues happening in the IT world, a compromised SSL cert is definitely at the bottom portion of the list. The additional security of renewing the certificates annually does not justify the cost of the time involved in performing this renewal each year.

----- 

CRLs already exist. Launch independent validation against questionable domains and employ CRLs to halt the acceptance of their certificates instead. Shorter time windows just punishes good actors.

----- 

when was the last time a security breach hit the news for this reason? vs some large entity /apple/linkedin/facebook etc being hacked in their panic to implement net new!! work on legislation to punish vs penalize the people just trying to keep their heads above water.

----- 

It's nonsense. There is no need to shorten certificate validity in terms of security. More validation and confirmation tasks will lead to more mistakes and errors. People will get used to confirm some certificates all the time without any attention.

----- 

Absolutely not. Certificates security does not come from the limited running time, though from the inability to properly protect the root certificates against administrative malice, where CA's provide intermediate signing certificates to break SSL, especially in rogue countries. The insecurity of the SSL world comes from the overamount of root CA's, of which several can be expected to be bogus.

----- 

There is evidence, that more frequent security changes actually reduce security, sometime unsecure workarounds are devised to bypass the unneccaasry

----- 

This will definitely bring too many complications in the validation requirements.

----- 

it makes zero difference if a certificate is breached and valid for months or a year and months.

----- 

Revalidation is not a problem and the validation processes in use today are not bullet proof anyway. Shortening the validation period does not fix the validation weaknesses...

----- 

If you want to secure access to the ability to generate new certificates on an existing validated account, then utilize MFA on the CA hosting account where you access the certificates. Do not decrease the validity period.

----- 

It would be good to check if the company / Domain is valid quite often, (maybe even every week, and pull back a certifacate what is not valid, for example if a company goes bankrupt), But then it is better to build a better system to pull back certificates instead of forcing to change the certificate often..

----- 

Stop where you are, you already accomplished the goals. Well done. 2 years is good.

----- 

Again what is the practical basis for this change? We are a local government. What do you expect would change?

----- 

No evidence presented to show either way, if this would be helpful at all.

----- 

It is definitely NOT WORTH IT, by this useless step you just want to create artificial working positions for your employees. The security of the certificates will NOT be better since the certificate itself is supposed to ensure the security.

----- 

Stop the ridiculousness. This will not increase security. It will just pad the pockets of the CA's and their affiliates.

----- 

Companies may well reduce SSL certs due to increased costs

----- 

As per our local market it is just an annoying part from which our customer has to go again and again. It must stay valid for atleast 18 months if not 24 months.

----- 

There is no reason to believe that making certs valid for less time will make a company/site more secure. it will, however, cause more disruption than happens now and that is actually pushing the risk factor too far into the red in my estimation.

----- 

No, this has nothing to do with security, it's just a business decision.

----- 

See above

----- 

This is something that we as a business have always been in favour of.

----- 

I have explained it on the above statement.

----- 

Depending on where the certificate expiration lands this could also happen at really busy time. With two year certificates there is a lot of time near the end of the certificate life to plan out when you want your next certificate to expire. 13 month certificates, not so much unless you expect businesses to buy two 13 month certificates in the same year.

----- 

The added security is not worth the hassle involved in updating all the places our certificates are used

----- 

I see no valid security added in doing this.

----- 

Organization should have choice. Under the current system, if an organization wants a period shorter than 825 days they can select that or renew certificates early. This ballot initiative removes choice and flexibility, forcing one way of doing things, which is counter to the ideas of the internet and technology.

----- 

Strongly disagree that the reduction improves security for our systems.

----- 

There are so many other holes in the Internet's security regime, this would not be any kind of panacea.

----- 

I wear many hats here and this will cause an increased workload. I will constantly having to be monitoring my certificates and getting them renewed. I'm afraid with this limited timeframe I may miss certs which would cause a worse security posture than current.

----- 

We need empirical research.

----- 

Don't care.

----- 

The likelihood is that users will be less likely to want to use certificates than they already are.

----- 

It can be automated to near-zero effort, it's a positive change.

----- 

This reads like so much bad legislation: Lets change this in the name of "security" with no evidence or expectation it will hinder bad actors, but will certainly impact the good guys. I have seen NO EVIDENCE that this is of any benefit to legal consumers. Is this a money making scam?

----- 

I don't believe that this adds any security at all.

----- 

How about dealing with the root problem of how a domain is stolen in the 1st place instead of half way measures that shift the burden to organizations that properly maintain their domains & certificates?

----- 

We own a .ORG domain, which is even more difficult to validate than the average domain since our information is not available in public records. We have to perform additional steps just to validate our domain.

----- 

I don't actually think this would improve security. I think it makes people feel better about it, is all.

----- 

Domains change ownership more frequently that certificates are issued.

----- 

I can honestly think of no cases where an improperly validated certificate stayed online for over a year, most of these types of sites last months at most.

----- 

Google itself would be better utilizing it's resources to better identity/verify it's customers (email accounts) identities.

----- 

Not at the moment with the level of automation in the vast majority of I.T organisations, Google and Apple will be fine with this as they have the engineering resources to cope, smaller organisations not so much.

----- 

It is not worth it for any of my small business clients.

----- 

I see no benefit in such short timelines, only added burdens on small organizations.

----- 

That's just not logical and practical anymore, the responsibility should lay on the certificate authorities and they have to revoke misused cerificates, the frequency of revalidating doesn't help at all. Cheater would use then such a certificate just for 1 year instead of 2 years, so hell how should this improve the trust to issued certificates?

----- 

Will this help cut down on phishing scams?

----- 

Link revalidation to the organization's age so long established businesses revalidate less often.

----- 

Process to obtain EV certificates need to be improved.

----- 

See above

----- 

Absolutely not.

----- 

Companies do not change, they just go away...

----- 

I see absolutely no benefit.

----- 

Two years is a reasonable period to manage security certificates. We try to have the renewal of our services as extended as possible, we contract domain names for 20 years to minimize managemente effort, and we were contracting security certificates for 3 years for the same reason.

----- 

I believe costs for the SSL's should go down by 1/2. If you are getting 1/2 the value you use to get, you should pay 1/2 the price. This keeps the balance and fair.

----- 

Sufficient security measure are already built into the certificate and certification process to stay ahead of malicious entities.

----- 

Sufficient security measure are already built into the certificate and certification process to stay ahead of malicious entities.

----- 

The cost is not only measurable by the dollars spent on revalidating, there is also a time cost.

----- 

I am not sure because I don't know about this process. I will say I would rather the expense of the certificates to increase instead of me having to replace them every year. If we can re-validate WITHOUT renew the certificates then I am in favor of that.

----- 

scammers will adjust. the fact that scammers can get domains and certs illustrate that the validation process is weak regardless of the term of the validation.

----- 

While well intentioned, these aggressive security changes being proposed/made may work to improve security at a reasonable cost and workload for LARGE organizations like Microsoft and Apple, but to much smaller organizations, these changes just introduce a significantly increased burden and expense while marginally improving security.

----- 

I would rather assume the risk of having a certificate with a longer validity period than not. Do not understand the security risk that is implied with long validity periods and believe it is tied more to an organizations risk profile. A blanket rule like this makes no sense.

----- 

Security certificate sales are pretty close to extortion already, no need to make things worse.

----- 

We have owned these domains for 20+ years. Why suddenly do we need to validate every year.

----- 

Revalidation could occur as often as the CA would like for certificates whether they be 2 3 or 4 years. There's an existing revocation process, and browsers check CRL today. Why is that not sufficient for validation/revalidation purposes?

----- 

There is no benefit to validating every year.

----- 

Revalidation of our EV org information is not very onerous for us (we had to do it once every few months during the transition from Symantec to Digicert for some reason and it wasn't a huge bother....)

----- 

I think smaller organizations would be less likely to use certificates on all their servers and only encrypt those that were required. I would rather have all web servers encrypted, but having to do it more often would make that more difficult.

----- 

This feels like a way to get more money out of us.,

----- 

Thank you for giving me the opportunity to speak my mind about this matter.

----- 

I see no gain from it. Why would it be more secure? What changes to a company would render the certificate invalid and why does reducint it to 13 months make a difference? Everything that can happen in 2 years can also happen in 1 year.

----- 

Re-validating should be cheap and we hope that reducing the lifetime of the certificate can help bring innovation to that area

----- 

absolutely not

----- 

I think it is up to the proponents to explain exactly how this will increase security.

----- 

If the validation process is sufficient, there is no need to re-validate every year, let alone every two.

----- 

For things like web services, I feel this is acceptable. But since my primary concern is networking, this is not acceptable to me. We really need a better way to distinguish which services the certificate is being used for and allow for longer period for services such as network authentication.

----- 

I trust myself, but even companies change quickly these days, and I may feel better about working online if the certificates were validated more often. However, the average web user does not pay attention to the issue date of a site's certificate. What is more important is what the browser tells the user about the site's security. So if the browsers decide not to trust a certificate more than 1 year old and start giving users warning messages, we will have to comply with the browser policy and renew every year.

----- 

This would be an enormous pain in the ass at my organization.

----- 

If more security is needed, make the certificates more secure.

----- 

Not at all. There is no "aging" of the key, so the connections/services/whatever don't get less secure over time - not in two years and not in five years. If somone is able to break the key, I am sure he can do it within a month. If not, he can't do it anyways. So one or two years does not matter at all.

----- 

There is no need. i see no issues with two years.

----- 

it is an unjustified demonstration of power from the browser and search engine manufacturers side, which adds considerably to daily maintenance tasks for IT technicians such as myself. The security gain does not justify such a high frequency. This would require a new technology involving automated and secure self renewal of certificate.

----- 

It will just add cost on our side and add zero percent in added security.

----- 

Validating every 2 years is sufficient. Please let us run ours businesses and not have to chase Google around.

----- 

It isn't obvious to me what problem this is trying to solve, especially when this information typically never changes. What real-world incidents led to this proposal? Does this proposal actually address what caused those incidents, or materially reduce the chance that they would happen again?

----- 

There is no benefit.

----- 

Revalidating does not necessarily require the reissue of a certificate. Furthermore, the security of a site can not fundamentally change just because a new certificate is issued every 13 months or 27 months.

----- 

It's not difficult

----- 

letsencrypt

----- 

letsencrypt

----- 

Again, I am not aware of a big enough concern for a year validation period.

----- 

It is annoying for getting more frequent revalidation.

----- 

I think that it is better to perform it frequently in order to obtain company authentication and domain usage rights confirmation accurately. However, if the frequency is less than one year (for example, every month), it will be invalid if the confirmed schedule is absent due to a long-term vacation. I think that the validity period of a certificate and verification are different in the first place, so I think it would be better to shorten the authentication period.

----- 

it just adds administrative work to do the re validation every year.

----- 

The benefit of this change is not clear to me.

----- 

Unless AWS changes their ways of doing certificate renewal, i dont see no problem with this change.

----- 

validating an organisation is significantly less onerous than changing certificates

----- 

IF automatic renewal works, it would SAVE time.

----- 

This proposal does NOT increase security, because the CAs doing the investigations and validations would have to double their efforts. With a two year cycle, they can spend enough time to look at Half of their customers thoroughly, and then the next year they can thoroughly look at the other half of their customers. By doing revalidations every year, that would mean that they have to spend half the amount of time currently to validate each customer -- they're not going to do as good a job as if they have twice as much time to cover the customers. Even if they were to double the people doing the validations -- well, now, half of those people are new and don't know what they're doing, so again, you make the CAs do a worse job twice as fast, and you think that Increases security? I doubt it.

----- 

Again just more overhead, most malicious domains are registered and used within the first 24 hours, what does it achieve validating genuine ones more?

----- 

No security increase. increased inconvenience.

----- 

validation process is time consuming form both sides, and for companies there is no such high frequency in change

----- 

I don't know what revalidation means in this context. If it can be automated I'm in favor.

----- 

These changes have no impact on bad actors who are engaged in illegal activity or impersonating legitimate companies.

----- 

Three years was nice, but agree in the world of IT security is too long, I believe every two years is an acceptable compromise

----- 

Even one year us to long to significantly reduce planned malicious use. Too little to be gained by the reduction to one year.

----- 

Less exploited certificates, though the lifespan is still to high. 

 ----- 

When most browsers, load balancers, web servers now supporting Perfect forward secrecy, this is little benefit of compromised certificates.

----- 

Seems to be just another power grab by the big players at Google. The only benefit (for them) seems to be adding massive cost to every smaller player in the market. Costs easily absorbed by a mega-corporation, but significant enough that they could tank an upstart competitor. No wonder they're pushing this so hard. It's a shame they hold such unilateral power.

----- 

Ryan Sleevi does not represent the industry focused on supplying authenticated certificates to secure the Internet.

----- 

I agree that it will have a negative administrative impact, and I believe that there should be adequate runway to make a smooth transition.

----- 

We have ran into issues with another CA where they could not validate all of our internet domains before the expiration because we were waiting on legal documentation to prove we owned some of the domains. Tightening the validation process to every year will either cause a lot of issues or will become a "rubber stamp" that circumvents the reason to change the process to one year. In addition, this may force some good CAs out of the business if they cannot keep up with demand; which in turn causes less competition for CAs and ultimately is bad for the consumer.

----- 

Where do you draw the line? The next proposal may well be to reduce the renewal period down to 3 months which would be a massive strain on companies who do not have the capabilities and budget resource available to implement enterprise grade auto renewal & replacement.

----- 

I marvel that you ask your customers the last question. You should be telling us what the quantifiable (evidential) benefit to risk profile (likelihood and impact) will be of the proposed change.

----- 

This is a solution in desperate need of a problem.

----- 

This is imaginary added security. Please differentiate between EV certificates and standard certificates: the user should be educated to understand the difference.

----- 

Validation of organization can be good, but dropping the validity period instead of revoking cert in case of failing validation causes pain. Of course, if CRL's are not obeyed/updated, the only possibility is to drop the validity period.

----- 

if a certificate is secure, then the length of time is of less importance than the ability to rely on it's validity. so, why is less time more secure than more time? this is just an exercise in generating additional revenue.

----- 

This seems to me like an effort to force companies to rotate their security keys and less like an effort to increase security by forcing re-validation.

----- 

If customers want 13 month certificates, they should be able to buy 13 month certificates. Indeed, the governing bodies could say that 13 month certificates are "best practice". Indeed, discounts could be given for 13 month certificates. But, if a customer wants a 27 month certificate, they should be allowed to buy one, perhaps at a premium. Indeed, if a customer wants a 60 month certificate, they should be allowed to buy one, perhaps at a premium.

----- 

automate it and it's fine

----- 

increased work and expense does not equal increased security.

----- 

so named validation - employee of CA is placing a phone call from abroad to publicly available phone numbers like 0850xxxyyy, 0800aaabbb. And he / she is not able to understand, that local numbers (free of charge / shared charge) are not available from abroad. They do not speak local language, so after reaching our call center, they barely able to understood his / her self what they would like to. Terrible.

----- 

We believe the actual delays are sufficiently balanced and short enough.

----- 

It’s for free

----- 

Certificates should never have been valid for more than one year. The cadence of most business processes is one year or less and everything should be automated or performed at least annual to ensure consistency

----- 

2 years is reasonable.

----- 

It is obvious

----- 

Too often in technology, we are either directly addressing symptoms of an issue or indirectly addressing a root cause. This only leads to the issue becoming a game of wack-a-mole hindering the evolution of our technology solutions. It is very sad to see that the tech giants resorting to indirectly addressing the root cause of the issue (lack of enforcement on revocation). Even proper education in the industry of the dangers of ignoring compromised certificates would be far more effective.

----- 

Domains used in attacks or for malicious purposes are not old domains.. They are new domains registered with little to know verification and blindly shoved a certificate from letsencrypt because they verified ownership of a domain. It's ridiculous and if anything the verification required to purchase a domain should be increased.

----- 

Not worth at all.

----- 

No idea how it helps on security.

----- 

We took revalidation for many process, one more step will not impact ours operation.

----- 

validation need time. we have some ev and ov ssl, dammit. we also have code signed and email ssl

----- 

Malicious websites that use SSLs don't live for a year typically, so doing this for that reason is not justifiable.

----- 

As mentioned previously, the updated cryptography methods is a nice thing to reassure customers using credit cards or anything private, however paying $100+ a year to get a small security change in my SSL certificate will drain small businesses wallets.

----- 

I don't believe that this shortening of the certificate lifetimes would have significant impact on the security of most sites. After all, the most common type of data breach is due to phishing which will be unaffected. Second biggest is identity theft through social media, which will also remain unchanged.

----- 

No, not at all. They should be allowing us as an organization to choose what we want time wise.

----- 

How often will a company pass validation, then fail after a year or two? Again, extra work for little benefit.

----- 

It doesn't exactly take hours to revalidate the information

----- 

There are many, many ways domains can be compromised. Effective protections must be multilayered. This only increases labor and costs to IT departments.

----- 

The cost of the cert pales to the cost of paying staff to renew them.

----- 

The certificates are only as good as the process to revoke them. Time and effort should be spent to make the certificate revocation process more robust and faster to really impact security.

----- 

What cost?

----- 

N/A

----- 

Our company has been around for decades. We have been at the same site since 1990. Most of the staff I work with have been here for over 20 years. Why do we need to be re-validated every two years? The greater frequency is bound to mean that the checker will not be as rigorous, if only because people will become complacent. If every check you do comes back OK, it is hard to be vigilant.

----- 

This seems to be more a case of money-waste than security-focus

----- 

As an organization that undergoes PCI DSS and HIPAA audits annually, the "added security" of renewing every year comes across more like busywork masquerading as security than actually implementing security best practices.

----- 

This change will do nothing to stop bad actors from anonymously purchasing new certificates. They will just have to do it more often.

 

 

 

 

 

 

 

 

 

6. Do you have any other comments or additional information

you would like us to present to the CA/Browser Forum on your behalf?

(You will not be identified in connection with your comments):

 

I think the industry will eventually move towards shorter validity times, but additional time to support automation efforts would be beneficial

----- 

Overall not a good idea. There is the possibility that, with a 1-year lifetime, there will be more administrative overhead in renewing certificates, and we may accidentally forget to renew a certificate which will itself cause security issues. The time isn't here when servers are aware that certs are coming up for renewal, be able to generate CSRs, talk to the CA to issue/renew certificates, and download/install the certificates automatically all without human intervention. When that day comes, I will gladly support a shorter certificate lifetime.

----- 

NO don't do IT!!!

----- 

Is there in the forum more deeper explanations how shorter life time impact the higher security. And good reasons to do this. If not, please, explain.

----- 

We're more likely to have an outage with reduced cert duration.

----- 

While I appreciate your taking the stance you are to protect the best interests of your customers, I caution your resistance to the improved security of the fundamentals in TLS. We have too long relied on the fact certs and TLS were just complicated as a means of "security". We now have to technologically close the gaps that are still left open by "ease of use" or "lower impact to cost", *insert other excuses not related to securing the framework. Lastly, thank you for taking the time to gather input. I look forward to seeing what the consensus is.

----- 

I see a clear move to shorter validity periods which I support and we are already prepared for 1 year validiies. That said in order to understand the extend of automation requirements we would benefit from increased notice and discussion on what we can expect validity periods to reduce to and by when (i.e. would it be unreasonable to expect to see reduction in validity periods to 3/6month validity by 2022?)

----- 

I can see no value in this. It appears to be another example of Google Corps empire building power plays. That aside : To remain competitive in this market place , Certificate providers will have to reduce the SSL Cert Unit cost to offset the increase in certificate procurement.

----- 

This is the "big dogs" imposing their will for "security" when they have teams of people for certification renewals. Small shops like ours do not have time or the resources to renew each year.

----- 

Google trying to take control again

----- 

This is appears to be a coordinated effort by Apple and Google to unfairly restrict competition in the cloud marketplace where these certificates are used.

----- 

We understand the need for security, but valid SSLs do not need short expiration dates to make them more secure. Leave the current rules alone.

----- 

Don't do this.

----- 

The top down command and control model is broken. We need a peer to peer web of trust model based on the tenets of PGP.

----- 

I'm tired of google forcing their views and changes into the internet community. First forcing all websites to use SSL certificates or the average user's browser openly complains that the site isn't secure (even when it doesn't need to be). Then forcing us to buy SSL Certificates more often. Seems like they must be making money from SSL cert sales somewhere.....

----- 

Google should not only be ignored, but their management should be in jail for breaking the laws of pretty much every country on Earth.

----- 

I don't feel that issues with certificates are at the top of anyone's list of major security concerns. This is really not solving the bigger picture security issues that face IT organizations throughout the world.

----- 

This is just more false security that does nothing to protect anyone. Maybe stop using Google and Apple would makes us all more secure. Why don't we just make companies validate their certificates every hour just to be safe? /s

----- 

This proposal does not recognize the cost and potential problems caused to smaller companies

----- 

The world according to Google. What a joke.

----- 

simplify the certificate generation process

----- 

In my opinion this is a bad idea

----- 

I still don't see the value in the ssl certificate, beyond clearing a browser UI warning. It's been thirty years.

----- 

Obviously whoever is proposing this change is looking out for their own interest, and I doubt very much that it is the user/consumer.

----- 

Goodbye commercial SSL vendors, this is the end for you.

----- 

N/A

----- 

I agree with the position of Digicert. This initiative will create more discomfort than making the it infrastructure more secure.

----- 

I think that the companies proposing this change have other motives here.

----- 

Sounds to me like the Internet is falling prey to elitists who believe they know what's best for everyone. If you don't agree with them they will force you to accept their way. Not a good sign for the future.

----- 

Google and Apple should not be able to dictate terms to the rest of us. We need to clamp down on this now before it is too late

----- 

I believe the industry should focus on ways of migrating AWAY from central root certificate authorities to a more distributed system.

----- 

Don't allow the enormous companies to dictate how the entire internet should function.

----- 

If re-validation is the main purpose of this and not to change certificates then it would be better to make annual re-validations a requirement by CA's with revocation of certificates for those that fail.

----- 

Google itself would be better utilizing it's resources to better identity/verify it's customers (email accounts) identities.

----- 

No

----- 

As a government, law enforcement agency, we see security, trust and crime prevention in a sharp light. In our view, tightening the slack in TLS certificate infrastructure weighs more heavily as a priority than the modest impact it may have on certificate administration. One year should be enough time to plan and implement updating server certificates, even for unsophisticated, government agencies in the backwaters of the internet. Slow moving agencies with a lack of adequate sophistication and administrative competence pose a security liability to the community. They should be compelled to step up and meet this new compliance standard.

----- 

Go back to 3 years.

----- 

To a small business owner who manages certificate security for his own company as well as for his clients, this feels an awful lot like a power move to force companies to spend more on certificates. I would like to know that the companies pushing for this are not also planning on benefitting financially from these changes they are pushing. I have a hard time seeing any security benefits from the changes as stated, at least at the small business level. It won't stop the bad actors and we already have a way to reissue certificates if a security issue comes about that requires an updated certificate.

----- 

Small and mid-size companies can't keep up with business trends as it is. Businesses already struggle to compete within their markets. They cannot afford the additional expenses that arbitrary changes like this force upon them.

----- 

We urge the forum to deny this proposal.

----- 

Poorly written code and application issues are far bigger security problems.

----- 

I do not support this proposed change.

----- 

Periods should increase to 5 years for Not For Profit Corporations and Charities

----- 

Stop messing with things that do not require change. This throwing around of "weight" reminds me of Microsoft a few years back. Persons on the "no" side need to make their views known. If it gets to "yes" then hopefully the big players involved will shrink like Microsoft has. 

 ----- 

I would be all for decreasing the max validity lifetime if they also made the management process easier and more uniform. I understand that a lot of the process can be automated, but only in certain instances and only if your team has the extra bandwidth and expertise to do so. Many smaller entities will be negatively impacted if this proposal passes.

----- 

Updating certificates process still needs much more work to make it less prone to errors. This will come with time.

----- 

No

----- 

Think about the smaller shops, the people who need certificates yet don't have the expertise associated with managing them.

----- 

no, not really.

----- 

Please explain how this actually improves an organizations security? And why this decision should be made by anyone other than the organization that is employing the certificate. Also, what about certificate revocation? Why can certificate revocation not be used to revoke certificates in the event of compromise? Again, how is shorter certificate lifespans better.

----- 

This is [redacted],

----- 

CAs essentially have a license to mint money. A business that wants to sell online has no real option other than to pay the vig, so the whole scenario is inherently fraught with moral hazard. For example, when CAs conspire together to increase operating costs to customers, it favors large, politically active organizations like Verizon and Google over smaller businesses that don't have the money to distort international politics for profit. Is it moral for CAs to undermine small businesses given those circumstances? Kudos to Digicert for opposing further limitation of cert lifetimes without customer consensus!

----- 

The CA's should be in charge of how certificates work. Google and Apple should stick to creating browsers, perhaps if they did that their browsers wouldn't suck. If a particular CA wishes to make THEIR certs that they issue 1 year, let them... We'll vote with our wallets and they'll go into oblivion after going bankrupt. We would like to see 3 year certs back, but can live with 2, 1 year is ludicrous.

----- 

I don't understand how this improve security. You can revoke an unwanted cert at anytime right?

----- 

Having a general timeline for the rampdown to 94 days for public certificates as Rich Smith suggested would be useful, this could help spur conversations with vendors (like Cisco and Oracle) who don't have very good automation for certificate lifecycles in most of their enterprise products and help large enterprises prioritize automation efforts.

----- 

The use of automation makes longer lifespan certs a hindrance rather than an asset.

----- 

Its a bad idea and should not be passed.

----- 

I favor it in this manner. Let me buy something for more than 1 year but have an automated system for renewing the interim certificates. I'm thinking of a commercial version of LetsEncrypt where my systems renew themselves for short terms but a commercial system would permit that up to a much longer certificate total lifetime. This promotes admins to periodically prove their systems are still intended to carry a valid cert but stolen certs do not last long. And it let's me budget and pay for the certs for longer periods.

----- 

Please consider the effects on small businesses, not just the effects on behemoths like Google.

----- 

This move seems to have no connection to actual security or safety and instead appears to be a clear power/money grab by organizations that stand to gain from doubling the touch-points for certification access that can be monetized and/or shifted to evergreen service offerings. Neither of which has anything whatsoever to do with creating a more secure and robust certification landscape.

----- 

[Redacted] Google. Can't stand the whole of Alphabet, Inc., treasonous, lying, crooked, anti-competitive sons of bitches they are.

----- 

No idea

----- 

Any system can be hacked eventually, changing certificates more often could actually increase the risk of fake certificates as the number of issued certificates is increased annually rather then the current every 2 years.

----- 

The option of renewing/replacing certificates should be left with the individuals responsible for the particular use case.

----- 

This will be a great disservice to small and medium size organizations that do not have the necessary resources for the effort required to deal with the proposed changes.

----- 

no

----- 

DigiCert should force all customers to use ACME.

----- 

2 year certs are practical. Less than that is not.

----- 

This proposed change is NOT a benefit to anyone except to those proposing it. It must be opposed! Thank you.

----- 

This will have a disporportionate impact on small businesses who cannot readily absort the cost and time implications brought about by this proposal.

----- 

No

----- 

It should NOT be reduced. It should be increased to at least 5 years.

----- 

This has a very rushed feel to it and provides very little benefit to people.

----- 

Consumers should be given a choice of how long they wish their certificates to be valid.

----- 

Now browser vendors say they will eliminate the EV certificate notation. As a result, the server certificate seems to lose its significance. If this is the case, there is a debate about what the original certificate proves, and we are worried that it will no longer be a viable business. I would like to ask if the browser is neglecting the proof by a third party.

----- 

This may be pointing that Certificates are becoming less trusted as reliable security step.

----- 

If you want to use a gap, you can do it in 13 months. It would be better to repudiate abused certificates instead of obliging everyone to renew their certificates in less and less time. At some point in the future, we will automatically exchange the certificates every day … If that's the goal, then we need another infrastructure for the provision and installation of certificates. Currently, I am waiting for a week to check whether we are issued a certificate or not.

----- 

The current "members" of the CA/Browser Forum are Certificate Authority Vendors, and Browser providers. This does not seem to cover two other major stakeholder groups -- Software providers that make use of SSL/TLS protocols and certificates (such as FTPS, NDM/ConnectDirect, MQ, among other protocols -- may include SSH/SFTP if certs become used to manage keys), and (major) Users/Purchasers of Digital Certificates. CAs may currently represent major users -- but perhaps major users of certs should get their own seat[s] at the table with equivalent authority to weigh in on how the industry behaves. (Perhaps major users would be those who either purchase over 100 certs per year, and/or internally sign over 500 certs per year.) Finally -- I might feel differently if there were active means to "break" certificates with current standards (2048+ bit keys, sha256RSA algorithm or better) in less than the 2 year lifetimes of the certs/keys with sufficient compute power -- but then the solution is to move to higher standards of certs (ECC, etc.) sooner, rather than do away with 2 year lifetimes.

----- 

No security increase. increased inconvenience.

----- 

What are the real security benefits here? failing to see them

----- 

Please push for an industry-wide adoption of ACME or other automated renewal processes. Both on CA side and hosting side I feel there is a lot to be improved. There must also be a deadline so that there is enough incentive to push hard on this.

----- 

Google is too big, the market needs proper competition.

----- 

Nothing of note

----- 

Allow users of certs to choose what year their cert will expire.

----- 

Stopp

----- 

Shortening the duration of a certificate is a reasonable security practice, revalidating the organization every, not so much. Consider offering an amendment accordingly.

----- 

Ask the major consumers of authenticated certificates-primarily financial services and healthcare industries-what they think.

----- 

For trusted certs, no objection. For self-signed certs, strong objection.

----- 

No

----- 

While I understand the desire to automate, automation is not always feasible for all businesses. I supported the move away from 3 year certificates because that was too long. I strongly oppose the less than one year (down to 90 days) validity due to the strain on businesses. If the issue is security, this appears to be like hitting a fly with hammer. I also strongly oppose one company (the company that proposed a 90 day validity) from controlling how often I renew my encryption and how I invest in automation. I may choose to invest automation in other areas with a timeline to automate certificate renewals much later based on profit margin. If my current 1 to 2 year certificate renewal process is working for my business, what concern is it of the CAs and the CA/Browser Forum.

----- 

I understand that Google employees don't spend their time improving their browser, but this is introducing extra work for every single company with an Internet presence. This has no security benefit. There is no problem with how it works now. I think this is about Google pushing an agenda of control, wherein their Certificate Transparency will offer them a veto on sites' existence more often. I think Peter Thiel is right. Google should really see if their organization is infiltrated by various kinds of government spooks. This is clearly NOT about security or anything technical. It's about going down a bad road. All technical people should oppose it.

----- 

Yes. See above. Apologies is this information has been provided. It has not been presented to me in this guided process.

----- 

Who died and left Google in charge of the internet?

----- 

Digicert's position is wrong, they are reluctant to implement improvements, I'm glad we are transitioning out of having any business with digicert. Even the questions in this survey are misleading.

----- 

It is a sad day in history when a small amount of major companies impose their idea onto society. This is the opposite of the spirit of the internet.

----- 

Let it 2 years valid!

----- 

Improving security is always in line with an inconvenience factor, and the line has now been crossed.

----- 

Please move towards shorter valid periods! Especially with revocation being as it is.

----- 

This effort doesn't increase security in any way, it only increases costs and overhead.

----- 

I see the only and only one reason to shorten the validity of certificates - money. If some one would like to shorten the validity period, I agree only under one condition - introduce automatic renewal for enterprise solutions - without human intervention. In that case we open lot of non answered questions like authenticity of renewal request and much more.

----- 

We do not support the new proposal.

----- 

Please vote against shortening the length of SSL certificates.

----- 

For small businesses this impact will be heavy without any benefit.

----- 

You guys are just losers

----- 

On year certs is the natural progression and will ensure adoption of cert automation, which will benefit security

----- 

CAs should worry about securing sites. AND Browsers should worry about the security and stability of their browser. WAY TOO OFTEN Browsers are having to fix critical vulnerabilities in their browser.

----- 

The browsers are abusing their position while they should listen to governments, banks, healthcare and other high profile targets.

----- 

I own 36 domains- already this task is onerous

----- 

See above comments

----- 

Absolutely - I AM FED UP with Google dictating how the internet should work... I don't recall ever electing them to be the policemen of the internet.

----- 

This just seems to be a exercise to harass customers both by CA and browsers. Why can't CA have a stricter validation and based that provide the necessary validity instead of a blanket one? Why does browser bother about https security if a renowned CA has validated and certified; don't they trust CA?

----- 

No

----- 

who proposed stupid idea to decrease. we have lot of problem for certificates. and that people who propose this idea should be fired.

----- 

Listen to the people if you won't listen to the CAs!

----- 

This only benefits browser makers and not the IT community as a whole.

----- 

When you update your phone, do you have to pay for those updates? Not at all. I believe this should be the same for SSL certificates. If the timespan for the SSL certificates are shortening, we (the website owners) should obtain some sort of benefit as well. The SSL expiration dates used to last for eight years. Then it was shortened to five, then to three. There should be no reason to shorten it any longer. The SSL companies need time to develop more cryptographically secured methods, and a year to develop them isn't enough time to look for any flaws in the method.

----- 

I believe both the cost for businesses to revalidate due to increased frequency but also the cost of Certificates them selves increasing. As basic economies of scale teach us, products with higher prices (2yr SSL) typically yield small margins with higher sales, vs lower overall priced products (1yr SSL) which usually lead to lower sales but generate a higher per-item profit. This is bad news for at a minimum the customer purchasing SSL, higher cost for this digital product while vendors of SSL's such as digicert in a best scenario experience no change in overall company profitability. There is no value / benefit gained by either party

----- 

As I have already stated a couple of times, we should have the ability to choose our expiration time frame. 2 years is even too low.

----- 

I am not sure restricting TLS certificates from three years to two has helped the security posture. I believe that should be proven before any additional changes are made.

----- 

Due to lengthy procurement process procurement of SSL certificates is challenging for us; so I would suggest the procurement of SSL Certificates should support three years agreement with the customer, however, the customer has to revalidate their SSL certificates every year from the certificate authority within the agreed tenure.

----- 

Too many policy changes, too often, being forced by browser makers wielding too much power.

----- 

I feel like we're overdoing it without reason. Chrome for example not accepting certificates without a SAN that includes the same CN that's already signed is another good example...

----- 

WTF is this idea?!!

----- 

2 years is already way too short. If the process is a broken revocation system, fix that! The proposed solution is like changing the speed limit on roads to 10MPH because a drunk driver had a high speed crash. The problem is drunk driving, not the speed limit. Use common sense people.

----- 

This honestly just looks like it's money grubbing. I do not believe that this will provide significantly increased security to anyone and only increases costs to businesses. I get that certificate authorities are for-profit businesses, but this is just a blatant grab for money under the guise of security.

----- 

There has been a move towards dropping HTTP in favor of HTTPS among browser providers. In my opinion this move would be a strong push towards Web site providers moving back to HTTP excepts in a few cases.

----- 

This change places a large undue burden on small IT shops for little to no gain in security for their organizations. I believe two years offers a good balance between security and effort required to maintain secure communications.

----- 

I think the ultimate goal is for them to drive down cert lengths to the 90 days that Let's Encrypt does now. So even the push for one year is just a short stop before they push to get even shorter lifespans. Pushing everyone to short times and automated tools just introduces more attack surface for the bad guys to exploit. You can't tell that the automated tools to renew certs don't have vulnerabilities in them that will eventually be exploited to install compromised certs automatically.

----- 

I really love how some people think the rest of us operate with unlimited budgets/resources thus we can just automate the problem away in our copious amount of spare time.

----- 

N/A

----- 

There are too little warning with many of the recent changes. End users must be given enough time to prepare.

----- 

For my small business it is imperative to save costs and more importantly time. The time required to renew certificate and re-sign applications is costly for small business.

----- 

It seems like the impact on small businesses was not considered at all. Realistically, if this were to pass, we would no longer be able to renew or track certs for our customers. The cost in time alone would simply be too much.

----- 

Tell them to go pound sand.

----- 

Google has no interest in the security business or understanding best practices with regards to validation.

----- 

Please go on with 13 months certificates

----- 

I appreciate the CAs security concerns

----- 

My comment is that I would like to see the 3 year option brought back.

----- 

Go go go!

----- 

[redacted] Google...

----- 

This appears to be a feel good security measure to deflect responsibility from the CA/Browser to the owner of the site to make sure the certificate is properly issued, current, and valid.

----- 

Sounds more like a money grab than a real security issue. If it's really a national security issue, then the government should issue them for free.

----- 

The world needs to work together to stop Google ruling it. For as long as we use Google Apps for everything Google will set the rules. Google is not unable to make mistakes, and its goals are to monetise / exploit every user world wide in the most lucrative way possible, in such a way as to not burn their bridges for future monetisation. Generally speaking, give or take a few human flaws, governments are good people and do try and put in rules fair for everyone. Why not trust the governments to do this and accept their judgement rather than taking the opinion of a biased corporation. Written (unfortunately) in Google Chrome ... because despite knowing it, I am also stuck with Google! Isn't that the saddest thing.

----- 

Change for the sake of change or because some behemoth of a company thinks its a good thing rarely if ever impacts the real world. SOX Compliance, PCI Compliance. GDPR, Patriot, FIPPA and PIPPA have done NOTHING!! To protect individual securities and data loss. Ransomware is rife, virus outbreaks, spoofing attacks and cyber crime are at all time highs.. whatever the big guys are doing.. its not the right approach, this strikes as an ill conceived, and reactionary response to someones perceived understanding of where security risk online comes from. The little man will suffer as he always does.

----- 

Stop bowing down to corporate giants

----- 

I am disgusted with this Google's approach to be a normative body for all internet community. They behave like fascists and follow their business goals, not security.

----- 

Google more and more behaves like "we rule the world".

----- 

The CA/Browser forum is clearly hijacked by Google.

----- 

We truly as a group of companies request not to move ahead for the change in validity of Certificates as this would adversly affect, Financially and security. Instead, do the re-validation every year, revoke the certificate immediately if the validation fails in given time frame (say 15 days)

----- 

the security improvement of moving from 2 years to 1 year is hardly measureable, however the amount of time used on certificate management and downtime in case of mistakes, will increase with a very measureable amount.

----- 

The world does not revolve around Google and Apple. Listen to MSPs that service 50 - 100 SMBs and find out what they think because that is the real area of impact.

----- 

No

----- 

SSL is not as important to everyone as you would like to believe it is. If you keep squeezing, you risk further alienating your audience.

----- 

I would feel more comfortable if there was an impartial body governing this decision. PLEASE do not say that Google serves this purpose.

----- 

Stop the madness.

----- 

Google needs to learn that not everyone can or does operate the way they do. Most bay area companies are at best 3 years behind they level of automation companies like Google, Netflix and Facebook have but more often 5 or so. Outside of the bay area it can be as far as 15 years behind! Google, stop it... just stop it. There's no point and you're just causing havoc for absolutely little to no gain.

----- 

This proposal is bad both for partners and for companies.

----- 

No, thanks

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/servercert-wg/attachments/20190822/e9ffee39/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4940 bytes
Desc: not available
URL: <http://cabforum.org/pipermail/servercert-wg/attachments/20190822/e9ffee39/attachment-0001.p7s>


More information about the Servercert-wg mailing list