Certificate lifecycles have become consistently shorter over the past few years, making the S/MIME certificates used to secure and sign emails one of the last holdouts. Until recently, that is. Earlier this year, Apple announced its intention to limit S/MIME certificate lifespans to just 398 days, matching the maximum term length for web certificates. Furthermore, this change will be enforced as a root store requirement—which means the consequences for non-compliance could be severe for some businesses.
What are S/MIME Certificates?
Secure/Multipurpose internet mail extension (S/MIME) certificates are used to secure and sign email communications. While other methods of email protection might scan the content of the email for risky language or links, S/MIME certificates are used to verify the sender’s identity. If the identity cannot be verified, the email is flagged as suspicious. This can help protect businesses and individuals from phishing attacks and other social engineering by eliminating the point of contact between the criminal and the victim.
S/MIME technology also encrypts communications between parties. This adds two layers of security by ensuring that sent and received messages are authentic and unaltered and preventing malware from intercepting and stealing data during transmission.
Why Shorten Lifecycles?
Apple’s announcement is unsurprising in the context of larger market trends. Certificate lifecycles have been getting shorter and shorter over the past few years as enterprises and services pursue more secure and agile public key infrastructure (PKI) solutions. Apple’s intention to limit the lifecycle of S/MIME certificates used in their email client is just another step in the march toward a more secure future.
Shortening lifespans has security benefits. The more often certificates must be renewed, the more secure they tend to be because:
• Security keys can be rotated more often to prevent theft.
• The attacker’s window of opportunity is smaller should a key become compromised.
• There are fewer opportunities for bad actors to abuse legitimately issued certificates.
• Certificates that are no longer needed are automatically invalidated.
• Certificates can be updated regularly with the latest encryption and security methods.
In short, shortened lifespans reduce the chance of human error and gaps or lapses in security. Apple’s move toward shorter S/MIME lifespans is an effort to push the industry toward more secure email encryption.
How Will It Affect Businesses?
On the whole, shortened S/MIME certificate lifespans are unlikely to affect enterprises outside Certificate Authorities (CAs). While CAs will need to adjust their policies to comply with the 398-day limit or risk being banned from Apple’s root store, the average business or user won’t feel the effects—especially if they use Apple’s complete ecosystem. The only exception to this will be incoming emails filtered through Apple’s email client. If the certificate associated with the incoming email does not comply with the new lifespan rule, the email or sender may be flagged as untrustworthy.
To learn more about Apple’s S/MIME certificate lifespan policies, listen to Root Causes, episode 187, “Apple Limits Term for S/MIME Certificates.”