This month, GlobalSign brings you another informative Trust.ID Talk podcast, “Inside the CA/B Forum - The Force Shaping Internet Trust“. To clarify key aspects of this topic, host Michelle Davidson is joined by Arvid Vermote, GlobalSign Information Security Officer. As a key contributor to the Certificate Authority/Browser Forum (CA/B Forum), Arvid provides insights into what the Forum does, how decisions get made, and why it matters to anyone relying on digital certificates and Public Key Infrastructure (PKI).
If you’ve ever wondered who sets the rules for digital certificates, the invisible backbone of secure web traffic, you’re not alone. The CA/B Forum may not be a household name, but its decisions reverberate throughout the internet, shaping how trust is established, upheld, and safeguarded online.
What is the Certificate Authority/Browser (CA/B) Forum?
Think of the CA/B Forum as a global roundtable where browsers like Chrome, Apple, Mozilla, alongside technology leaders such as Cisco, sit down with Certificate Authorities (CAs), including GlobalSign, Sectigo, and others. For the past 20 years, this group has quietly governed the standards that make secure browsing possible. Their mission? To create and refine the technical rules that underpin PKI, the system that authenticates websites, encrypts data, and protects users.
How Does it Work?
The Forum meets three times a year in person, rotating locations from the Southern Hemisphere to Europe and finally to the Americas in October. In between, members hold weekly and/or bi-weekly virtual meetings and break into specialized working groups focused on server certificates, Code Signing, validation, and more.
Membership isn’t open to just anyone. CAs must meet strict audit and operational requirements to join. Once inside, members propose changes—called ballots—which require two endorsements before being voted on. If a ballot passes, it becomes part of the official requirements. CAs must comply or risk losing browser trust, which can be catastrophic for their business.
Read more about the CA/B Forum and it’s role in internet security
Why the 47-Day Validity Change Matters
One of the most seismic shifts in recent memory was the decision to reduce SSL/TLS certificate validity from 398 days to just 47 by 2029. Originally proposed by Google with a 90-day target, Apple accelerated the conversation with its own 47-day proposal.
There were two key reasons for the push for shorter lifespans:
- Security - Shorter validity means compromised keys have less time to be exploited.
- Agility - Organizations must become faster at rotating certificates, which has historically been a weak point. Even when breaches occurred, many teams were slow to respond, leaving users exposed.
“Shorter validity periods push certificate consumers into more agility, and for the last ten to twenty years, this has been one of the key threats throughout the whole PKI ecosystem.” – Arvid Vermote
The Changing Landscape of PKI Governance
Agility isn’t just about rotating certificates faster; it’s about preparing for the post-quantum era. Experts predict that RSA encryption could be broken within 5–10 years. While no post-quantum cryptographic (PQC) algorithms are yet endorsed for public issuance, the moment one is approved, organizations will need to pivot instantly.
That’s why the hybrid PKI model, where companies rely on a mix of public and private trust chains, is becoming less viable. With standards evolving rapidly, many are returning to public trust models for critical certificates and outsourcing internal PKI to trusted providers.
Investing in agility now means fewer headaches later. It’s not just a technical shift, it’s a strategic one.
What’s Next in PKI?
AI is already transforming the security landscape in profound ways. While it won’t fundamentally change how PKI works at its core, it’s speeding up two major shifts.
First, there’s growing concern around RSA breakage. AI could give researchers new tools to crack RSA encryption more efficiently, which would accelerate the push toward quantum-safe cryptography.
Second, we’re seeing a steady move toward automating identity validation. Tasks that once required manual steps, like scanning passports or verifying documents through notaries, are increasingly being handled by AI. This shift is making it faster and easier to issue high-assurance certificates without compromising trust.
The CA/B Forum isn’t just a policy body; it’s a catalyst for change. Its decisions are nudging the Internet toward a more agile, secure, and quantum-ready future. For IT leaders and security teams, the message is clear: agility isn’t optional anymore. It’s the new baseline.
