February 2020. Bratislava, Slovakia. The CA/Browser Forum face-to-face meeting.
A room full of Certificate Authority executives who'd successfully killed every attempt to shorten certificate lifetimes. They'd just stonewalled another attempt at shorter certificates. Business as usual.
Then Apple stood up.
"Effective September 1, 2020, certificates valid for more than 398 days will not be trusted."
No vote. No consensus. Just done.
The room went silent. Then exploded.
The Setup
For context, browsers had been trying to reduce certificate lifetimes since 2017. The whole industry knew 47 day certificates were coming eventually. But the CAs had a beautiful voting bloc. Every proposal died the same way:
Browsers: "Shorter certificates are safer."
CAs: "Our customers aren't ready."
Vote fails.
Rinse. Repeat. Cash checks.
Google tried with Ballot 185 in 2017. Failed.
Google, Apple, and Let's Encrypt tried with SC22 in 2019. Failed.
The CAs thought they'd figured out the game. Control the votes, control the timeline, control the revenue.
The Blindside
Apple's announcement wasn't even on the agenda.
They just stood up during their Root Program update and dropped the bomb. Here's the actual quote that changed everything:
"Given the challenges of reaching consensus within the Forum, Apple is moving forward with a unilateral requirement."
Translation: "You had your chance to play nice."
Chris from Entrust captured the CA panic perfectly: "The Forum was created to set these policies together. This undermines the entire process."
Yeah, Chris. That's the point.
The Fallout Was Immediate
Within 72 hours:
- Mozilla signaled they'd probably follow
- Google started drafting similar requirements
- Microsoft began "evaluating alignment opportunities"
Corporate speak for: "Apple just gave us cover to do what we wanted anyway."
The CAs suddenly discovered they could implement automation after all. Amazing how fast "impossible" becomes "challenging but feasible" when Safari won't load your certificates.
Why Apple Could Do This
Here's what the CAs missed: The browsers hold all the cards.
Think about it. What's a Certificate Authority without browser trust? A random company with expensive HSMs and nobody to sell to.
But a browser without one specific CA? Still works fine. Hundreds of other CAs eager to comply.
Apple understood the assignment. They didn't need consensus. They needed Safari to be secure.
The Beautiful Irony
Remember all those enterprise customers who "couldn't possibly handle" shorter certificates?
Turns out they could.
Remember the complex approval processes that made automation "impossible"?
Suddenly solvable.
Remember the legacy systems that would "never support" 398-day certificates?
Miraculously updated.
All it took was one company saying "We're done waiting."
The Lesson
The Bratislava announcement taught everyone a simple truth: Standards bodies only work when everyone wants to standardize.
When half the room profits from the problem, you don't get solutions. You get committees.
Apple didn't fix the committee. They made it irrelevant.
And that's how certificate lifetimes went from "impossible to reduce" to "reducing whether you like it or not" in one Wednesday afternoon in Slovakia.
The CAs learned something that day: You can stonewall a committee. You can't stonewall reality.
Top comments (0)