After September 1, 2020, Apple’s Safari browser will no longer accept SSL/TLS Certificates with validity periods longer than 398 days (effectively one year plus a short grace period). This is after many months of debate and deliberation within the Certification Authority Browser Forum (CA/B Forum) that saw the vote to reduce validity periods defeated. Apple’s announcement effectively means they are going ahead anyway, and the unilateral change in policy renders the previous vote irrelevant – if you want Apple to trust your SSL/TLS Cert, you need to comply.

As long-time stakeholders in the CA space, we support the shortened Certificate lifetime policy. Interestingly for Ubisecure (and RapidLEI), this change creates close alignment with how the Legal Entity Identifier (LEI) system already operates.

There are security advantages to shorter-term Certificates. The shorter the validity period, the narrower the window of exposure that exists to use a compromised or mis-issued Certificate. Likewise, Organisation Validated Certs contain fixed organisation identity data, frozen in time at the point of the Certificate issuance. Organisation identity data (legal name, incorporation type, address, jurisdiction, etc.) can and does legitimately change over the lifetime of the organisation. Therefore, the shorter the validity period, the narrower the window where organisation data may change and render the identity within the Certificate inaccurate or misleading.

Renewing or revalidating Certificates or Legal Entity data every year can be challenging. That’s why automating the renewal process is essential for both Certificates and LEIs, it’s the only way to achieve scale. Most CAs have long recognised the importance of automation to ensure Certificates are replaced before expiration. The same logic applies to LEIs – to keep LEIs live and up to date in large volume (an estimated 300m organisations exist worldwide), automating the renewal period is essential. LEIs already have a maximum validity period of 365 days – at least once every year LEIs must be revalidated.

Via our RapidLEI platform, we already automate both the initial registration and the renewal of LEIs. Most LEIs are issued in a minute or two. We have built a rights governance service for entities to associate an authorised user’s rights to represent their organisation in workflows such as Certificate application. Our Right to Represent service is based around the control of the LEI that’s not dissimilar to how Admins today authorise use of domains via DNS based challenges or users authenticate themselves to third party applications using existing social, enterprise or verified identities.

The net result is that CAs that utilise LEIs as an automated source of organisation validation will be able to better deal with the increased vetting overhead that will come with shorter organisation validated Certificate periods.

We believe LEIs will deliver even higher value if the refresh period is further reduced. We are trialing automated monthly renewals, converting the LEI annual model into one of monthly subscription. It’s our view that due to critical adoption for both Certificate installation automation and LEI renewal automation that OV/EV Certificates could one day be even shorter in duration and offered via subscription. When that happens, we have built the only LEI platform to support that transformation.

One last point, unlike the hard-coded identity data within a Certificate, the LEI is a live reference and can be updated at any time to provide an accurate organisation identity to the relying party. By embedding the LEI number into Certificates, the relying party is given a reference point to a live organisation identity in a publicly accessible and challengeable organisation database. With the push within the CA/B Forum to offer users better security and user experience with Certificates, we hope that the browser vendors can embrace the value the LEI system can deliver.

In the physical world, one of the LEI’s primary uses is to be the ‘connector’ between different localised identifiers to help build an accurate and trustworthy KYC picture. Just like the physical world when it comes to online trust, there are no single silver bullet solutions. Trust is established from utilising a multitude of sources and factors. We see the use of LEIs in Certificates being no different.


Further reading:

DigiCert’s position on one-year Certificates

DigiCert and Ubisecure partner for next-generation Legal Entity Identifier organization identity solutions