Apple wants to shorten the lifetime of certificates

Apple wants to further shorten the lifetime of certificates. This time to just 10 days, starting 2027. I consider the cost/benefit calculation to be a bit problematic and the argumentation to be partly biased.

Shorter terms are are a good idea as they actually increase security. Let's Encrypt, for example, has a lifetime of 90 days. Usually it is one year. I think a reduction from one year to 90 days or even 45 days (which Apple would like to see until 2027) is justifiable. It increases security without realistically causing problems.

There are basically 2 arguments against this.

For one these are manual processes. This should no longer be done today, as it is potentially prone to errors. Manual processes also take time and 10 days would be a respectable nightmare. That would make you a full-time certificate juggler. But I don't think that's a valid argument because you shouldn't actually be doing that anymore and systems that can't handle it should have been replaced by then.

The other side relates more to a cost/benefit calculation and the increased risk that disruptions could become relevant. And I certainly agree with that.

A reduction to a period of just 10 days is potentially problematic as a network hiccup can become a realistic scenario. After 7 days you want to renew, there is a major outage and then everyone hammers the API, which only works to a limited extent. A period of 3 days with hiccups is quite realistic. And then you are left without a valid certificate.

With a period of 45 days or the 90 days of Let's Encrypt, this is rather unlikely. Even with a major hiccup you shouldn't break a sweat.

The main problem is that there are a few scenarios in which third parties have access to the certificates. For example, if you change your hoster or other service providers who need access to the key because of the nature of the service.

However, the problem with third parties here is that we very often have second parties in normal operations. Why they suddenly become criminals just because they become third parties requires an explanation. They could already do that as second parties.

The problem is not quite as relevant as it is made out to be. But it is also not purely theoretical. It depends on many factors. A shortened term of 45 to 90 days therefore makes quite a bit of sense.

However, this is not a problem that we are constantly confronted with. There are several analyses on the subject, but hardly any statistics. You would think that a study would analyze something like this to show how relevant the problem is. It's something where you have to weigh the risks. What risks do I minimize when I do this and to what extent, and what risks can arise as a result? DoS attacks on certification authorities, for example, become a lot more interesting. With 10 days, I only have to throw the system off track for a few days to create a relevant problem.

For Apple, Google - they already had the same idea - or Microsoft, this doesn't play a major role, because they are their own certification authority and are not affected by problems with the certificate mob. However, this group is also not really affected by a period of 45 or 90 days.