Security News
Starting today, the lifespan of new TLS certificates will be limited to 398 days, a little over a year, from the previous maximum certificate lifetime of 27 months. The lifespan of SSL/TLS certificates has shrunk significantly over the last decade.
ISO has defined a standard approach for Certification Authorities to embed Legal Entity Identifiers within digital certificates. The move to simplify LEI integration paves the way for all digital certificates to be linked by a universal identifier to verified and regularly updated entity reference data, in a freely accessible repository, and also can contain the certificate owner's role within a legal entity.
DigiCert Automation Gateway launches with integration into DigiCert CertCentral in Q4. This new automation approach is designed to accelerate the adoption of automated certificate issuance, renewal, reissuance and revocation by tackling some of the common concerns with existing offerings. Automation Gateway will provide organizations the confidence to widely deploy automation protocols within their company networks to provide greater agility.
Mozilla is the latest browser maker to have announced updated policies that would reduce the lifetime of TLS certificates. Currently, SSL/TLS certificates have a maximum lifespan of 825 days in an attempt to ensure better protection of HTTPS connections, browser makers such as Apple, Google and Mozilla are looking into reducing that period to 398 days.
Digicert is one of the Big Five commercial CAs, short for certificate authorities - companies that sign and vouch for the digital certificates that put the the S in HTTPS and the padlock in your browser's address bar. The simplest form of web certificate is called self-signed, and anyone can create a self-signed certificate in seconds that claims to represent any web property they like.
A notice emitted by the certificate biz explained that a number of its intermediate certificate authorities had issued EV certs to customers despite not being included in DigiCert's WebTrust audits - which goes against the rules for EV certs. "Although there is no security threat, the EV Guidelines require that we revoke EV certificates signed by the affected ICAs by July 11, 2020 at 12pm MDT.".
Google, it seems, is joining Apple in limiting the maximum validity of web security certificates - those digitally signed blobs of data that put the S in TLS and the padlock in your address bar - to just one year. Others ask why a year is seen as "Too long" given that certificate authorities such as Let's Enrcypt are already issuing certificates that are only valid for three months at a time, thanks to a smoothly automated process for renewal.
A security expert predicts trouble ahead for IoT device makers and customers due to expired root SSL certificates. Dunlap and cyber security specialists are tracking the impact of expiring Certificate Authority root SSL certificates on smart devices, including smart TVs, fridges, lightbulbs, and other IoT devices.
"Hi all, Has anyone seen or heard from Kristian in the last month or so?" asked Todd Fleisher earlier this month - in fact, 11 June - on the main mailing list for an important cluster of OpenPGP key servers. Fiskerstrand, who had seemingly gone AWOL, issues cryptographic certificates to servers that join the SKS keyserver pools, allowing these volunteer machines to share the load in securely handling key lookup requests.
Expiring root certificates will cause devices like smart TVs and refrigerators to fail in the next few years, security researcher Scott Helme has warned. In order to validate the certificate the client must have a trusted root certificate from the issuing authority, and this, says Helme, is a problem for devices that never get updated.