[cabfpub] Microsoft Proposed Updates to the SHA-1 Deprecation Timeline

Wayne Thayer wthayer at godaddy.com
Thu Oct 29 17:51:23 UTC 2015

8 bytes of entropy in the serialNumber field has been a requirement of Microsoft’s root program since 2013: http://social.technet.microsoft.com/wiki/contents/articles/1760.windows-root-certificate-program-technical-requirements-version-2-0/revision/15.aspx

From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On Behalf Of Ryan Sleevi
Sent: Wednesday, October 28, 2015 2:16 PM
To: Doug Beattie <doug.beattie at globalsign.com>
Cc: Nazmus Sakib <mdsakib at microsoft.com>; Magnus Nyström <mnystrom at microsoft.com>; public at cabforum.org
Subject: Re: [cabfpub] Microsoft Proposed Updates to the SHA-1 Deprecation Timeline

On Wed, Oct 28, 2015 at 2:03 PM, Doug Beattie <doug.beattie at globalsign.com<mailto:doug.beattie at globalsign.com>> wrote:
With the certificate serial number entropy

This is not a MUST requirement in the Baseline Requirements, unfortunately.

Section 7.1
"CAs SHOULD generate non-sequential Certificate serial numbers that exhibit at least 20 bits of entropy"

As such, it's not a terribly reliable scheme.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20151029/da7c3df8/attachment-0003.html>

More information about the Public mailing list