[cabfcert_policy] Entropy in Certificate Serial Numbers
Jeremy Rowley
jeremy.rowley at digicert.com
Wed Feb 17 15:48:49 MST 2016
The debate on the Mozilla forum is whether zero is a positive integer.
Thus, I think we need to define it.
From: policyreview-bounces at cabforum.org
[mailto:policyreview-bounces at cabforum.org] On Behalf Of Robin Alden
Sent: Wednesday, February 17, 2016 3:43 PM
To: Ben Wilson; policyreview at cabforum.org
Subject: Re: [cabfcert_policy] Entropy in Certificate Serial Numbers
Hi Ben,
I'm fine with the 'unpredictable bits' part, but the serial
number thing is already covered in RFC5280.
Why do we need it again in the BRs?
https://tools.ietf.org/html/rfc5280#section-4.1.2.2
says..
"The serial number MUST be a positive integer assigned by the CA to each
certificate. ."
Robin
From: policyreview-bounces at cabforum.org
<mailto:policyreview-bounces at cabforum.org>
[mailto:policyreview-bounces at cabforum.org] On Behalf Of Ben Wilson
Sent: 17 February 2016 11:46
To: policyreview at cabforum.org <mailto:policyreview at cabforum.org>
Subject: [cabfcert_policy] Entropy in Certificate Serial Numbers
What about this version of a proposed revision to Section 7.1 of the BRs?
For all Certificates issued after _______, serialNumbers MUST be greater
than zero (0), and for Certificates issued to Subscribers and Intermediate
CAs, the serialNumber MUST contain at least 64 unpredictable bits.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://cabforum.org/pipermail/policyreview/attachments/20160217/abdaf904/attachment.html
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4964 bytes
Desc: not available
Url : https://cabforum.org/pipermail/policyreview/attachments/20160217/abdaf904/attachment.bin
More information about the Policyreview
mailing list