<div dir="ltr">Or, put conversely, why should it?<div><br></div><div>Date/time is one we certainly need to be careful with; Microsoft for many years forbid its use as a source of entropy. I've seen a CA argue that they've placed 32 bits of entropy, since they set the seconds field of notBefore / notAfter. Given that the seconds value can only contain values 1-6 in the first digit, and 0-9 in the second, that's 2.5 bits + 3.33 bits - or effectively, a total of 11.6 bits - assuming I can math, which is a generous assumption.</div><div><br></div><div>CAs already have an obligation to ensure serials are unique, so if the CA should have a mistake and *not* be generating entropy, that'd also be far more noticable than if the RNG got stuck on 00:00:00 for entropy in dates.</div></div><div class="gmail_extra"><br><div class="gmail_quote">On Fri, Feb 26, 2016 at 5:43 PM, Brown, Wendy (10421) <span dir="ltr"><<a href="mailto:wendy.brown@protiviti.com" target="_blank">wendy.brown@protiviti.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div lang="EN-US" link="blue" vlink="purple">
<div>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d">Why does the entropy have to be in the serial number vs a combination of serial number and date/time bits ?<u></u><u></u></span></p>
<p class="MsoNormal"><a name="-1983989590__MailEndCompose"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d"><u></u> <u></u></span></a></p>
<p class="MsoNormal"><b><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">From:</span></b><span style="font-size:11.0pt;font-family:"Calibri",sans-serif"> <a href="mailto:public-bounces@cabforum.org" target="_blank">public-bounces@cabforum.org</a> [mailto:<a href="mailto:public-bounces@cabforum.org" target="_blank">public-bounces@cabforum.org</a>]
<b>On Behalf Of </b>Richard Barnes<br>
<b>Sent:</b> Friday, February 26, 2016 6:26 PM<br>
<b>To:</b> Ryan Sleevi <<a href="mailto:sleevi@google.com" target="_blank">sleevi@google.com</a>><br>
<b>Cc:</b> CABFPub <<a href="mailto:public@cabforum.org" target="_blank">public@cabforum.org</a>><br>
<b>Subject:</b> Re: [cabfpub] Pre-Ballot 164 - Certificate Serial Number Entropy<u></u><u></u></span></p><div><div class="h5">
<p class="MsoNormal"><u></u> <u></u></p>
<div>
<p class="MsoNormal"><u></u> <u></u></p>
<div>
<p class="MsoNormal"><u></u> <u></u></p>
<div>
<p class="MsoNormal">On Fri, Feb 26, 2016 at 6:03 PM, Ryan Sleevi <<a href="mailto:sleevi@google.com" target="_blank">sleevi@google.com</a>> wrote:<u></u><u></u></p>
<blockquote style="border:none;border-left:solid #cccccc 1.0pt;padding:0in 0in 0in 6.0pt;margin-left:4.8pt;margin-right:0in">
<div>
<p class="MsoNormal">Is there a reason for the change from "entropy" to "unpredictable bits"<u></u><u></u></p>
<div>
<p class="MsoNormal"><u></u> <u></u></p>
</div>
<div>
<p class="MsoNormal">Would you be opposed to "64 bits of random data from a cryptographically strong random number generator"?<u></u><u></u></p>
</div>
<div>
<p class="MsoNormal"><u></u> <u></u></p>
</div>
<div>
<p class="MsoNormal">The concern I have with the language change is that while "entropy" is arguably less ambiguous, I fear "unpredictable bits" will create a situation where a CA says "No one knows our [deterministic] algorithm, therefore it's unpredictable"<u></u><u></u></p>
</div>
<div>
<p class="MsoNormal"><u></u> <u></u></p>
</div>
<div>
<p class="MsoNormal">I admit, I'm not terribly thrilled with my rewrite either, because I don't think it should be required to use an RNG on an HSM, for example (that's arguably overkill), but I do want to make sure that the source of entropy is cryptographically
strong (thus ruling out Microsoft's GUIDs, crappy RNGs, etc)<u></u><u></u></p>
</div>
</div>
</blockquote>
<div>
<p class="MsoNormal"><u></u> <u></u></p>
</div>
<div>
<p class="MsoNormal">I would prefer this proposal. It provides a specific thing that can be verified (whereas "entropy" and "unpredictable" are vague statistical properties).
<u></u><u></u></p>
</div>
<div>
<p class="MsoNormal"><u></u> <u></u></p>
</div>
<div>
<p class="MsoNormal">--Richard<u></u><u></u></p>
</div>
<div>
<p class="MsoNormal"> <u></u><u></u></p>
</div>
<blockquote style="border:none;border-left:solid #cccccc 1.0pt;padding:0in 0in 0in 6.0pt;margin-left:4.8pt;margin-right:0in">
<div>
<p class="MsoNormal"><u></u> <u></u></p>
<div>
<div>
<div>
<p class="MsoNormal">On Fri, Feb 26, 2016 at 1:49 PM, Ben Wilson <<a href="mailto:ben.wilson@digicert.com" target="_blank">ben.wilson@digicert.com</a>> wrote:<u></u><u></u></p>
</div>
</div>
<blockquote style="border:none;border-left:solid #cccccc 1.0pt;padding:0in 0in 0in 6.0pt;margin-left:4.8pt;margin-right:0in">
<div>
<div>
<div>
<div>
<p>For discussion:<u></u><u></u></p>
<p><b>Pre-Ballot 164 - Certificate Serial Number Entropy</b> <u></u><u></u></p>
<p>-- Motion Begins -- <u></u><u></u></p>
<p>In Section 7.1 of the Baseline Requirements, <u></u><u></u></p>
<p>REPLACE <u></u><u></u></p>
<p>"CAs SHOULD generate non-sequential Certificate serial numbers that exhibit at least 20 bits of entropy"
<u></u><u></u></p>
<p>WITH <u></u><u></u></p>
<p>"Effective April 1, 2016, CAs SHALL use a Certificate serialNumber greater than zero (0) that contains at least 64 unpredictable bits."
<u></u><u></u></p>
<p>-- Motion Ends -- <u></u><u></u></p>
<p class="MsoNormal"> <u></u><u></u></p>
</div>
</div>
<p class="MsoNormal"><u></u> <u></u></p>
</div>
</div>
<p class="MsoNormal" style="margin-bottom:12.0pt">_______________________________________________<br>
Public mailing list<br>
<a href="mailto:Public@cabforum.org" target="_blank">Public@cabforum.org</a><br>
<a href="https://urldefense.proofpoint.com/v2/url?u=https-3A__cabforum.org_mailman_listinfo_public&d=CwMFaQ&c=19TEyCb-E0do3cLmFgm9ItTXlbGQ5gmhRAlAtE256go&r=CBPcrHveVS6JeW8_gWG0NRDQwKKDbvlAqGnuc-opZ58&m=gLfqC3w5Q3KWZIqYA3p1oVBUpJRLnT0Sn6QRxHzrcbk&s=nCLIEUA1hig93WH1Iz1Z5uXl3uOXAsav6dZCFhfAXJo&e=" target="_blank">https://cabforum.org/mailman/listinfo/public</a><u></u><u></u></p>
</blockquote>
</div>
<p class="MsoNormal"><u></u> <u></u></p>
</div>
<p class="MsoNormal" style="margin-bottom:12.0pt"><br>
_______________________________________________<br>
Public mailing list<br>
<a href="mailto:Public@cabforum.org" target="_blank">Public@cabforum.org</a><br>
<a href="https://urldefense.proofpoint.com/v2/url?u=https-3A__cabforum.org_mailman_listinfo_public&d=CwMFaQ&c=19TEyCb-E0do3cLmFgm9ItTXlbGQ5gmhRAlAtE256go&r=CBPcrHveVS6JeW8_gWG0NRDQwKKDbvlAqGnuc-opZ58&m=gLfqC3w5Q3KWZIqYA3p1oVBUpJRLnT0Sn6QRxHzrcbk&s=nCLIEUA1hig93WH1Iz1Z5uXl3uOXAsav6dZCFhfAXJo&e=" target="_blank">https://cabforum.org/mailman/listinfo/public</a><u></u><u></u></p>
</blockquote>
</div>
<p class="MsoNormal"><u></u> <u></u></p>
</div>
</div>
</div></div></div>
NOTICE: Protiviti is a global consulting and internal audit firm composed of experts specializing in risk and advisory services. Protiviti is not licensed or registered as a public accounting firm and does not issue opinions on financial statements or offer
attestation services. This electronic mail message is intended exclusively for the individual or entity to which it is addressed. This message, together with any attachment, may contain confidential and privileged information. Any views, opinions or conclusions
expressed in this message are those of the individual sender and do not necessarily reflect the views of Protiviti Inc. or its affiliates. Any unauthorized review, use, printing, copying, retention, disclosure or distribution is strictly prohibited. If you
have received this message in error, please immediately advise the sender by reply email message to the sender and delete all copies of this message. Thank you.
</div>
</blockquote></div><br></div>