Why Is There A Limited PKI Certificate Validity Period?
The very definition of SSL is designed to provide a method to encrypt and decrypt information through the use of Public Key Cryptography to provide security, trust and confidence in sending information over the internet. This an include financial or personal information sent via a website through a browser to a server or in protecting information sent through email.
This is done through a complex set of mathematical algorithms and security protocols to ensure the encryption and decryption meets specific standards and is universally accepted. If this was not in place, the security would be random, sporadic and would not be trusted, inhibiting ecommerce or any type of information or data exchange through the internet.
In addition to the Public Key Cryptography component of Public Key Infrastructure, there is also the use of digital certificates. These may be to secure websites, as in domain SSL/TLS products, or they can be Personal Authentication Certificates. The Personal Authentication Certificates may also be called Email or Client certs.
In addition to binding the keys to the certificate and the certificate to the owner, these digital documents also provide information about the owner. This transparency in ownership of the domain (website) is important for consumer confidence and the ability to transmit documents through email systems using PKI and have them be legally accepted in business as well as in a court of law.
It isn't difficult to understand why SSL/TLS products are so critical to online business and information exchange. So, many people ask, if they are so essential why is there a built-in PKI certificate validity period?
In fact, at first glance, it may seem to be a more secure environment to do away with the PKI certificate validity period and have the Certificate Authority issue certificates that were valid until they were revoked. After all, this would allow continual coverage for security without any potential gaps if a certificate were to slip through the cracks unnoticed.
While this may seem like a good idea, it is also much less trustworthy and much more problematic for both website administrators and owners as well as for CAs.
The Security Issues
The most important aspect of any digital certificate is the validation process completed by the CA. There are three basic levels for SSL/TLS products for domains and different classes of PKI certs depending on the level of validation required. The more important security is the higher the class of the certificate and the higher the validation level.
If there were no PKI certificate validity period on a certificate if a domain owner or administrator wanted to change the certificate type or the level of security provided it would require the Certificate Authority to revoke the original certificate and then issue a new cert. While this can happen at this time, most people choose to simply wait until their PKI certificate validity period is over and then upgrade or change.
When a certificate is revoked by a CA the revocation doesn't happen instantaneously. Plus, that cert may be used in different chains of certificates throughout the internet. These intermediate certificates are typically not the same as the certificates that website owners are using, but this is again not always the case, particularly for business and enterprise Public Key Infrastructure solutions and options.
It is also very common for there to be changes in an organization (business) over time. This may involve some or most of the information on the certificate to be invalid. Unless the organization is required to provide current and accurate information on a regular basis, the CA would have no way to that the certificate data is outdated or perhaps obsolete.
This, in turn, would lead to a decrease in customer confidence in not only the specific reputation of the CA but also in all online ecommerce transactions or transmission of personal or financial information.
While it may seem that doing away with the PKI certificate validity period is a good idea at first glance, by understanding the possible security issues that could occur because of the choice it becomes a real security risk.
At Comodo, we offer one, two and three year certs for most of our SSL/TLS and PKI certificates. To learn more about our products or to discuss options, pricing and features of the certs be sure to give us a call at +1 888 266 6361. If you would prefer to read more about the different products browse around online at https://www.instantssl.com, we are always available through the text chat on each page.