Identity Pinning and reduction of maximum validity period

Question

Created Jun ’25

Replies 2

Boosts 0

Participants 2

The CA/Browser Forum has voted (cf. https://groups.google.com/a/groups.cabforum.org/g/servercert-wg/c/9768xgUUfhQ?pli=1) to eventually reduce the maximum validity period for a SSL certificate from 398 days to 47 days by March 2029.

This makes statically pinning a leaf certificate rather challenging. What are the consequences for App Transport Security Identity Pinning as it exists today?

Answered by DTS Engineer in 843284022

What are the consequences for App Transport Security Identity Pinning as it exists today?

Both NSPinnedCAIdentities and NSPinnedLeafIdentities pin Subject Public Key Info structures, not certificates as whole. As long as the public key doesn’t change when the certificate is re-issued, it’ll have no effect on ATS.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Boost

Answer 1

DTS Engineer OP

Apple

Jun ’25

Accepted Answer

Recommended

What are the consequences for App Transport Security Identity Pinning as it exists today?

Both NSPinnedCAIdentities and NSPinnedLeafIdentities pin Subject Public Key Info structures, not certificates as whole. As long as the public key doesn’t change when the certificate is re-issued, it’ll have no effect on ATS.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

1

Answer 2

jzilske OP

Jun ’25

Thanks Quinn; I'll file this under "think first, ask later"

0