[cabfpub] Definition of Random Value on draft ballot re new domain validation methods

kirk_hall at trendmicro.com kirk_hall at trendmicro.com
Tue May 5 01:37:44 UTC 2015

The definition of Random Value on the domain validation draft ballot reads as follows:

Random Value: A value specified by a CA to the Applicant that exhibits 128 bits of entropy.

The problem is, one of the most common random number generating tool is the MS GUID generator, and my understanding is that it falls just short of 128 bits of entropy.


GUIDs are usually stored as 128-bit values, and are commonly displayed as 32 hexadecimal<http://en.wikipedia.org/wiki/Hexadecimal> digits with groups separated by hyphens, such as {21EC2020-3AEA-4069-A2DD-08002B30309D}. They may or may not be generated from random (or pseudo-random<http://en.wikipedia.org/wiki/Pseudo-random>) numbers. GUIDs generated from random numbers normally contain 6 fixed bits (these indicate that the GUID is random) and 122 random bits; the total number of unique such GUIDs is 2122 (approximately 5.3×1036). This number is so large that the probability of the same number being generated randomly twice is negligible; however other GUID versions have different uniqueness properties and probabilities, ranging from guaranteed uniqueness to likely duplicates. Assuming uniform probability for simplicity, the probability of one duplicate would be about 50% if every person on earth as of 2014 owned 600 million GUIDs.

I think we did some testing and found the random numbers from the MS GUID generator had something like 120 bits of entropy.  Jody and Anoosh - what can you tell us?

Can we change the required level of entropy in the new definition to something like 120 bits instead?  That's still pretty high.

Kirk R. Hall
Operations Director, Trust Services
Trend Micro

<table class="TM_EMAIL_NOTICE"><tr><td><pre>
The information contained in this email and any attachments is confidential 
and may be subject to copyright or other intellectual property protection. 
If you are not the intended recipient, you are not authorized to use or 
disclose this information, and we request that you notify us by reply mail or
telephone and delete the original message from your mail system.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20150505/93ba4a26/attachment-0002.html>

More information about the Public mailing list