2023-08-24
One challenge in reducing TLS certificate lifetimes down to 90 days
Back in March, the Chrome team said that they wanted to reduce the maximum TLS certificate duration down to 90 days (because I'm not always completely in touch with the TLS ecology, I only found out about this recently). In general I'm in favour of short TLS certificate lifetimes and in automation for TLS certificate renewals and deployment, so you might expect me to be all in favour of this. But I actually think that this proposal would cause real problems and get significant pushback from people.
(The reduction in certificate lifetime wouldn't directly affect my group, since we already get all of our TLS certificates from Let's Encrypt, which only gives out 90 day certificates.)
The problem I see is black box devices with TLS that aren't built with support for automated (certificate) management and deployment, and instead only support manual installation of new TLS certificates (for example, through an administrative web interface). One such class of devices that I'm painfully familiar with is server management processors (BMCs). A typical BMC generates (or comes with) a self-signed TLS certificate but provides some way for you to equip it with a proper TLS certificate through its web interface. We don't bother to go through the hassle of giving our BMCs proper public DNS names and then getting proper TLS certificates for them, but I'm sure there are some people who do. And I'm also sure that there are plenty of other types of black box devices and appliances out there that have similar features for their TLS support.
This sort of manual update is tolerable if you only have to do it rarely (and you don't have too many of the things to do it to). If you keep having to do it every 80 days or so, people are going to be rather unhappy. Many of these people will be in small organizations (because that's the kind of place that buys black box devices) and so not well placed to spend a bunch of money to upgrade their devices, or spend a bunch of staff time to try to automate this from the browser, or get their voices heard about the problems.
In an ideal world all of these devices would get replaced with ones that have interfaces and APIs for automated TLS certificate deployment. In the real world, that will take years even if tomorrow all TLS certificates became valid for only 90 days, and so the vendors of these devices were immediately forced into developing it.
(These devices aren't necessarily directly connected to the Internet, so it isn't sufficient for them to have ACME clients, although for some of them it would be a nice extra. In general they need a way to push a TLS certificate to them, often along with a private key for it.)