<div dir="ltr"><div class="" style="font-family:-moz-fixed;font-size:12px" lang="x-western"><pre>Hi Ben,
Discussion seems to have petered out, and I think we are pretty close to
a workable ballot. Would you be interested in modifying this ballot to
the below and posting it as a final ballot for a vote?
-- Motion Begins --
Statement of intent:
As demonstrated in
<a class="" href="https://events.ccc.de/congress/2008/Fahrplan/attachments/1251_md5-collisions-1.0.pdf">https://events.ccc.de/congress/2008/Fahrplan/attachments/1251_md5-collisions-1.0.pdf</a>,
hash collisions can allow an attacker to forge a signature on the
certificate of their choosing. The birthday paradox means that, in the
absence of random bits, the security level of a hash function is half
what it should be. Adding random bits to issued certificates mitigates
collision attacks and means that an attacker must be capable of a much
harder preimage attack. For a long time the BRs have encouraged adding
random bits to the serial number of a certificate, and it is now common
practice. This ballot makes that best practice required, which will make
the Web PKI much more robust against all future weaknesses in hash
functions. Additionally, it replaces "entropy" with "CSPRNG" to make the
requirement clearer and easier to audit, and clarifies that serial
number must be positive.
In Section 1.6.1 of the Baseline Requirements,
ADD
CSPRNG: A random number generator intended for use in cryptographic system.
In Section 7.1 of the Baseline Requirements,
REPLACE
"CAs SHOULD generate non-sequential Certificate serial numbers that
exhibit at least 20 bits of entropy."
WITH
"Effective September 30, 2016, CAs SHALL generate Certificate serial
numbers greater than zero (0) containing at least 64 bits of output from
a CSPRNG."
-- Motion Ends --
GitHub pull request: <a class="" href="https://github.com/cabforum/documents/pull/24">https://github.com/cabforum/documents/pull/24</a>
</pre></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Mon, Apr 18, 2016 at 3:45 PM, Ben Wilson <span dir="ltr"><<a href="mailto:ben.wilson@digicert.com" target="_blank">ben.wilson@digicert.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div lang="EN-US" link="blue" vlink="purple"><div><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">On the cablint report for the 20 bits of entropy, <a href="https://crt.sh/?cablint=38" target="_blank">https://crt.sh/?cablint=38</a>, there are 20 certificates that were listed. If this changes to 64 bits, how many more certificates will be on the list?<u></u><u></u></span></p><p class="MsoNormal"><a name="m_-6300246916968660747__MailEndCompose"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif"><u></u> <u></u></span></a></p><span></span><div><div style="border:none;border-top:solid #e1e1e1 1.0pt;padding:3.0pt 0in 0in 0in"><p class="MsoNormal"><b><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">From:</span></b><span style="font-size:11.0pt;font-family:"Calibri",sans-serif"> <a href="mailto:public-bounces@cabforum.org" target="_blank">public-bounces@cabforum.org</a> [mailto:<a href="mailto:public-bounces@cabforum.org" target="_blank">public-bounces@cabforum.org</a>] <b>On Behalf Of </b>Ben Wilson<br><b>Sent:</b> Monday, April 18, 2016 10:25 AM<br><b>To:</b> CABFPub <<a href="mailto:public@cabforum.org" target="_blank">public@cabforum.org</a>><br><b>Subject:</b> [cabfpub] FW: Pre-Ballot 164 - Certificate Serial Number Entropy<u></u><u></u></span></p></div></div><div><div class="h5"><p class="MsoNormal"><u></u> <u></u></p><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">Forwarding<u></u><u></u></span></p><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif"><u></u> <u></u></span></p><p class="MsoNormal"><b><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">From:</span></b><span style="font-size:11.0pt;font-family:"Calibri",sans-serif"> Kane York [<a href="mailto:kanepyork@gmail.com" target="_blank">mailto:kanepyork@gmail.com</a>] <br><b>Sent:</b> Monday, April 18, 2016 10:23 AM<br><b>To:</b> Ben Wilson <<a href="mailto:ben.wilson@digicert.com" target="_blank">ben.wilson@digicert.com</a>>; Erwann Abalea <<a href="mailto:Erwann.Abalea@docusign.com" target="_blank">Erwann.Abalea@docusign.com</a>><br><b>Cc:</b> <a href="mailto:questions@cabforum.org" target="_blank">questions@cabforum.org</a><br><b>Subject:</b> Re: [cabfpub] Pre-Ballot 164 - Certificate Serial Number Entropy<u></u><u></u></span></p><p class="MsoNormal"><u></u> <u></u></p><div><div><div><div><p class="MsoNormal"><u></u> <u></u></p><div><div><p class="MsoNormal">On Fri, Apr 15, 2016 at 7:52 AM Ben Wilson <<a href="mailto:ben.wilson@digicert.com" target="_blank">ben.wilson@digicert.com</a>> wrote:<u></u><u></u></p></div><blockquote style="border:none;border-left:solid #cccccc 1.0pt;padding:0in 0in 0in 6.0pt;margin-left:4.8pt;margin-top:5.0pt;margin-right:0in;margin-bottom:5.0pt"><div><div><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">I didn’t think it was that simple. For instance, see <a href="https://en.wikipedia.org/wiki/Password_strength" target="_blank">https://en.wikipedia.org/wiki/Password_strength</a> </span><u></u><u></u></p><p class="MsoNormal"><a name="m_-6300246916968660747_m_-5238551272401774583__MailEndCompose"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif"> </span></a><u></u><u></u></p><div><div style="border:none;border-top:solid #e1e1e1 1.0pt;padding:3.0pt 0in 0in 0in"><p class="MsoNormal"><b><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">From:</span></b><span style="font-size:11.0pt;font-family:"Calibri",sans-serif"> Erwann Abalea [mailto:<a href="mailto:Erwann.Abalea@docusign.com" target="_blank">Erwann.Abalea@docusign.com</a>] <br><b>Sent:</b> Friday, April 15, 2016 8:44 AM<br><b>To:</b> Ben Wilson <<a href="mailto:ben.wilson@digicert.com" target="_blank">ben.wilson@digicert.com</a>><br><b>Cc:</b> CABFPub <<a href="mailto:public@cabforum.org" target="_blank">public@cabforum.org</a>></span><u></u><u></u></p></div></div></div></div><div><div><div><div style="border:none;border-top:solid #e1e1e1 1.0pt;padding:3.0pt 0in 0in 0in"><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif"><br><b>Subject:</b> Re: [cabfpub] Pre-Ballot 164 - Certificate Serial Number Entropy</span><u></u><u></u></p></div></div></div></div><div><div><p class="MsoNormal"> <u></u><u></u></p><p class="MsoNormal">Bonjour, <u></u><u></u></p><div><p class="MsoNormal"> <u></u><u></u></p></div><div><p class="MsoNormal">20 bits of entropy is the same as 20 bits unpredictable bits.<u></u><u></u></p></div><div><p class="MsoNormal"> <u></u><u></u></p></div><div><p class="MsoNormal">Whence, 64 bits of entropy is a higher requirement than 20 bits of entropy.<u></u><u></u></p></div><div><p class="MsoNormal"> <u></u><u></u></p><div><div><p class="MsoNormal">Cordialement,<u></u><u></u></p></div><div><p class="MsoNormal">Erwann Abalea<u></u><u></u></p></div></div></div></div></div></blockquote><div><p class="MsoNormal"><u></u> <u></u></p></div><div><p class="MsoNormal">No, it definitely is that simple.<u></u><u></u></p><div><p class="MsoNormal"><u></u> <u></u></p></div><div><p class="MsoNormal">I think the confusion here is the definition of "hex characters".<u></u><u></u></p></div><div><p class="MsoNormal"><u></u> <u></u></p></div><div><p class="MsoNormal">> <span style="font-size:11.0pt;font-family:"Calibri",sans-serif">Our CA issues certificates with 32 hexadecimal characters for the serial number.</span><u></u><u></u></p></div><div><p class="MsoNormal"><u></u> <u></u></p></div><p class="MsoNormal">This is not possible - you cannot have 32 ASCII characters in the serial number.<u></u><u></u></p><div><p class="MsoNormal">The most likely truth given that explanation is that you have <b>16 fully random bytes</b>. Which would be 16 * 8 = 128 random bits, satisfying the entropy requirements.<u></u><u></u></p></div><div><p class="MsoNormal"><u></u> <u></u></p></div><div><p class="MsoNormal">3 fully random bytes would satisfy the 20-bit requirement.<u></u><u></u></p></div><div><p class="MsoNormal">6 fully random hexadecimal ASCII characters encoded in the serial number would satisfy the 20-bit requirement.<u></u><u></u></p></div><div><p class="MsoNormal"><u></u> <u></u></p></div><div><p class="MsoNormal">8 fully random bytes is required to satisfy the 64-bit requirement.<u></u><u></u></p></div><div><p class="MsoNormal">16 bytes with 4 bits of entropy each, which ASCII-encoded hexadecimal would be, would satisfy the entropy requirement and leave you 3.875 bytes left over for other information.<u></u><u></u></p></div></div><div><p class="MsoNormal"> <u></u><u></u></p></div><blockquote style="border:none;border-left:solid #cccccc 1.0pt;padding:0in 0in 0in 6.0pt;margin-left:4.8pt;margin-top:5.0pt;margin-right:0in;margin-bottom:5.0pt"><div><div><div><p class="MsoNormal"> <u></u><u></u></p><div><blockquote style="margin-top:5.0pt;margin-bottom:5.0pt"><div><p class="MsoNormal">Le 15 avr. 2016 à 16:32, Ben Wilson <<a href="mailto:ben.wilson@digicert.com" target="_blank">ben.wilson@digicert.com</a>> a écrit :<u></u><u></u></p></div><p class="MsoNormal"> <u></u><u></u></p><div><div><p class="MsoNormal" style="background:white"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">Forwarding</span><u></u><u></u></p></div><div><p class="MsoNormal" style="background:white"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif"> </span><u></u><u></u></p></div><div><div style="border:none;border-top:solid #e1e1e1 1.0pt;padding:3.0pt 0in 0in 0in"><div><p class="MsoNormal" style="background:white"><b><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">From:</span></b><span style="font-size:11.0pt;font-family:"Calibri",sans-serif"> Man Ho (Certizen) [<a href="mailto:manho@certizen.com" target="_blank"><span style="color:purple">mailto:manho@certizen.com</span></a>] <br><b>Sent:</b> Thursday, April 14, 2016 7:51 PM<br><b>To:</b> Ben Wilson <<a href="mailto:ben.wilson@digicert.com" target="_blank"><span style="color:purple">ben.wilson@digicert.com</span></a>>; Ryan Sleevi <<a href="mailto:sleevi@google.com" target="_blank"><span style="color:purple">sleevi@google.com</span></a>><br><b>Cc:</b> <a href="mailto:public@cabforum.org" target="_blank"><span style="color:purple">public@cabforum.org</span></a><br><b>Subject:</b> Re: [cabfpub] Pre-Ballot 164 - Certificate Serial Number Entropy</span><u></u><u></u></p></div></div></div><div><p class="MsoNormal" style="background:white"> <u></u><u></u></p></div><p class="MsoNormal" style="margin-bottom:12.0pt;background:white">Ben,<br><br>We had already changed our system to issue SSL certificates with 20 hexadecimal characters of at least 20-bit of entropy since 2014. I'm just wondering why the requirement is changed from "bits of entropy" to "unpredictable bits", which I don't understand the conversion (like "cm" to "inch" :). I don't know whether our software vendor understands it.<br><br>Man<u></u><u></u></p><div><div><p class="MsoNormal" style="background:white">On 4/15/2016 4:24 AM, Ben Wilson wrote:<u></u><u></u></p></div></div><blockquote style="margin-top:5.0pt;margin-bottom:5.0pt"><div><p class="MsoNormal" style="background:white"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">You’re right, given a randomly generated 20-byte serial number, you have 159 unpredictable bits. </span><u></u><u></u></p></div><div><p class="MsoNormal" style="background:white"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif"> </span><u></u><u></u></p></div><div><p class="MsoNormal" style="background:white"><b><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">From:</span></b><span style="font-size:11.0pt;font-family:"Calibri",sans-serif"> Ryan Sleevi [<a href="mailto:sleevi@google.com" target="_blank"><span style="color:purple">mailto:sleevi@google.com</span></a>] <br><b>Sent:</b> Thursday, April 14, 2016 2:03 PM<br><b>To:</b> Ben Wilson <a href="mailto:ben.wilson@digicert.com" target="_blank"><span style="color:purple"><ben.wilson@digicert.com></span></a><br><b>Cc:</b> Man Ho (Certizen) <a href="mailto:manho@certizen.com" target="_blank"><span style="color:purple"><manho@certizen.com></span></a>; <a href="mailto:public@cabforum.org" target="_blank"><span style="color:purple">public@cabforum.org</span></a><br><b>Subject:</b> Re: [cabfpub] Pre-Ballot 164 - Certificate Serial Number Entropy</span><u></u><u></u></p></div><div><p class="MsoNormal" style="background:white"> <u></u><u></u></p></div><div><div><p class="MsoNormal" style="background:white">Ben:<u></u><u></u></p></div><div><div><p class="MsoNormal" style="background:white"> <u></u><u></u></p></div></div><div><div><p class="MsoNormal" style="background:white">Are you sure your math is correct? A serial number is 20 bytes, with the high bit needing to be 1 (for the encoding of positive INTEGERS within DER). This leaves 159 bits for entropy. So you certainly can't have more unpredictable bits than that :)<u></u><u></u></p></div></div></div><div><div><p class="MsoNormal" style="background:white"> <u></u><u></u></p></div><div><div><p class="MsoNormal" style="background:white">On Thu, Apr 14, 2016 at 12:59 PM, Ben Wilson <<a href="mailto:ben.wilson@digicert.com" target="_blank"><span style="color:purple">ben.wilson@digicert.com</span></a>> wrote:<u></u><u></u></p></div><blockquote style="border:none;border-left:solid #cccccc 1.0pt;padding:0in 0in 0in 6.0pt;margin-left:4.8pt;margin-top:5.0pt;margin-right:0in;margin-bottom:5.0pt"><div><div><div><p class="MsoNormal" style="background:white"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">Man,</span><u></u><u></u></p></div><div><p class="MsoNormal" style="background:white"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">Have you had a chance to do further research on the capabilities of your system? Our CA issues certificates with 32 hexadecimal characters for the serial number. There are 4 bits of entropy for each hexadecimal character. Therefore, our serial numbers have 128 bits of entropy and 16*32= 512 unpredictable bits. An 8-hexadecimal character serial number would have 32 bits of entropy and 128 unpredictable bits. A 20-bit entropy would be equal to 5 hexadecimal characters, or 80 unpredictable bits, so this seems like this is a downgrade to go to 64 unpredictable bits. Am I right?</span><u></u><u></u></p></div><div><p class="MsoNormal" style="background:white"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">Ben</span><u></u><u></u></p></div><div><p class="MsoNormal" style="background:white"><a name="m_-6300246916968660747_m_-5238551272401774583_m_216582708830614"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif"> </span></a><u></u><u></u></p></div><div><div style="border:none;border-top:solid #e1e1e1 1.0pt;padding:3.0pt 0in 0in 0in"><div><p class="MsoNormal" style="background:white"><b><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">From:</span></b><span style="font-size:11.0pt;font-family:"Calibri",sans-serif"> Man Ho (Certizen) [mailto:<a href="mailto:manho@certizen.com" target="_blank"><span style="color:purple">manho@certizen.com</span></a>] <br><b>Sent:</b> Wednesday, March 23, 2016 12:27 AM<br><b>To:</b> Ben Wilson <<a href="mailto:ben.wilson@digicert.com" target="_blank"><span style="color:purple">ben.wilson@digicert.com</span></a>>; </span><a href="mailto:public@cabforum.org" target="_blank"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:purple">public@cabforum.org</span></a><span style="font-size:11.0pt;font-family:"Calibri",sans-serif"><br><b>Subject:</b> Re: [cabfpub] Pre-Ballot 164 - Certificate Serial Number Entropy</span><u></u><u></u></p></div></div></div><div><p class="MsoNormal" style="background:white"> <u></u><u></u></p></div><p class="MsoNormal" style="margin-bottom:12.0pt;background:white">Hi all,<br><br>Is the meaning of "at least 64 unpredictable bits" setting the same or a higher requirement than "at least 20 bits of entropy" ? I'm not quite sure whether our certificate generation software has this setting in itself.<br><br>Cheers<br>Man<u></u><u></u></p><div><div><p class="MsoNormal" style="background:white">On 3/1/2016 12:21 AM, Ben Wilson wrote:<u></u><u></u></p></div></div><blockquote style="margin-top:5.0pt;margin-bottom:5.0pt"><p class="MsoNormal" style="background:white">REPLACE <u></u><u></u></p><p class="MsoNormal" style="background:white">"CAs SHOULD generate non-sequential Certificate serial numbers that exhibit at least 20 bits of entropy" <u></u><u></u></p><p class="MsoNormal" style="background:white">WITH <u></u><u></u></p><p class="MsoNormal" style="background:white">"Effective April 1, 2016, CAs SHALL use a Certificate serialNumber greater than zero (0) that contains at least 64 unpredictable bits." <u></u><u></u></p></blockquote><div><p class="MsoNormal" style="background:white"> <u></u><u></u></p></div></div></div><p class="MsoNormal" style="margin-bottom:12.0pt;background:white"><br>_______________________________________________<br>Public mailing list<br><a href="mailto:Public@cabforum.org" target="_blank"><span style="color:purple">Public@cabforum.org</span></a><br><a href="https://cabforum.org/mailman/listinfo/public" target="_blank"><span style="color:purple">https://cabforum.org/mailman/listinfo/public</span></a><u></u><u></u></p></blockquote></div><div><p class="MsoNormal" style="background:white"> <u></u><u></u></p></div></div></blockquote><div><p class="MsoNormal" style="background:white"> <u></u><u></u></p></div><p class="MsoNormal"><span style="font-size:9.0pt;font-family:"Helvetica",sans-serif;background:white">_______________________________________________</span><span style="font-size:9.0pt;font-family:"Helvetica",sans-serif"><br><span style="background:white">Public mailing list</span><br></span><a href="mailto:Public@cabforum.org" target="_blank"><span style="font-size:9.0pt;font-family:"Helvetica",sans-serif;color:purple;background:white">Public@cabforum.org</span></a><span style="font-size:9.0pt;font-family:"Helvetica",sans-serif"><br></span><a href="https://cabforum.org/mailman/listinfo/public" target="_blank"><span style="font-size:9.0pt;font-family:"Helvetica",sans-serif;color:purple;background:white">https://cabforum.org/mailman/listinfo/public</span></a><u></u><u></u></p></div></blockquote></div><p class="MsoNormal"> <u></u><u></u></p></div></div></div><p class="MsoNormal">_______________________________________________<br>Public mailing list<br><a href="mailto:Public@cabforum.org" target="_blank">Public@cabforum.org</a><br><a href="https://cabforum.org/mailman/listinfo/public" target="_blank">https://cabforum.org/mailman/listinfo/public</a><u></u><u></u></p></blockquote></div></div></div></div></div></div></div></div></div><br>_______________________________________________<br>
Public mailing list<br>
<a href="mailto:Public@cabforum.org">Public@cabforum.org</a><br>
<a href="https://cabforum.org/mailman/listinfo/public" rel="noreferrer" target="_blank">https://cabforum.org/mailman/listinfo/public</a><br>
<br></blockquote></div><br></div>