Google, Mozilla expected to give older SSL digital certificates the axe
In the wake of Google's decision to reject SSL certificates that were issued after July 1, 2012 and have a validity period of more than 60 months, Mozilla is now also considering the possibility of rejecting such certificates, reports Computerworld,
Central to the issue is a document that defines the issuing and management of publicly trusted certificates, which is agreed upon by certificate authorities and browser vendors.
Version 1.0 of this document took effect on July 1, 2012, and defined that certificates issued after the effective date "must have a validity period no greater than 60 months." You can access the document, titled "Baseline Requirements for the issuance and management of publicly-trusted certificates, V 1.0," here (pdf).
To be clear, having a shorter period for the validity of digital certificate does nothing itself to protect users. Regular changes, though, will allow new implementations to be rolled out in a timely fashion to ensure that the technology is still able to protect users.
On the contrary, 10-year-old certificates that remain valid can have a detrimental effect on SSL certificates as a whole should security weaknesses or breaches be discovered.
The Fierce Take: While the change should not affect enterprises in general, it is a timely reminder that measures like digital certificates and encryption are only part of the equation to implementing good security. It's also important not to overlook proper certificate and encryption key management.
- check out this article at Computerworld