[cabfcert_policy] Entropy in Certificate Serial Numbers

Tim Hollebeek THollebeek at trustwave.com
Wed Feb 17 15:47:58 MST 2016 

There's been a bug reported against RFC 5280 that it contradicts itself about whether zero is valid (both positive and non-negative are used in various places).  That issue has never been resolved through the errata process.

This would resolve that issue for BR certificates, by clarifying that regardless of RFC 5280 contradicting itself on the issue, zero is not valid.

-Tim

From: policyreview-bounces at cabforum.org [mailto:policyreview-bounces at cabforum.org] On Behalf Of Robin Alden
Sent: Wednesday, February 17, 2016 3:43 PM
To: 'Ben Wilson'; policyreview at cabforum.org
Subject: Re: [cabfcert_policy] Entropy in Certificate Serial Numbers

Hi Ben,
              I'm fine with the 'unpredictable bits' part, but the serial number thing is already covered in RFC5280.
Why do we need it again in the BRs?

https://tools.ietf.org/html/rfc5280#section-4.1.2.2<http://scanmail.trustwave.com/?c=4062&d=gvfE1mE-pldCf3rRMMUqTKnhsfNblV8z6YYkskdxPQ&s=5&u=https%3a%2f%2ftools%2eietf%2eorg%2fhtml%2frfc5280%23section-4%2e1%2e2%2e2>
says..

"The serial number MUST be a positive integer assigned by the CA to each certificate.  ..."

Robin


From: policyreview-bounces at cabforum.org<mailto:policyreview-bounces at cabforum.org> [mailto:policyreview-bounces at cabforum.org] On Behalf Of Ben Wilson
Sent: 17 February 2016 11:46
To: policyreview at cabforum.org<mailto:policyreview at cabforum.org>
Subject: [cabfcert_policy] Entropy in Certificate Serial Numbers

What about  this version of a proposed revision to Section 7.1 of the  BRs?

For all Certificates issued after _______, serialNumbers MUST be greater than zero  (0), and for Certificates issued to Subscribers and Intermediate CAs, the serialNumber MUST contain at least 64 unpredictable bits.


________________________________

This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is strictly prohibited. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://cabforum.org/pipermail/policyreview/attachments/20160217/d4900e48/attachment-0001.html

More information about the Policyreview mailing list