[cabfpub] Pre-Ballot 164 - Certificate Serial Number Entropy
Ben Wilson
ben.wilson at digicert.com
Fri Apr 22 07:42:54 MST 2016
I’d like suggestions on an effective date.
From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On Behalf Of Dimitris Zacharopoulos
Sent: Friday, April 22, 2016 2:23 AM
To: public at cabforum.org
Subject: Re: [cabfpub] Pre-Ballot 164 - Certificate Serial Number Entropy
On 21/4/2016 4:07 πμ, Jacob Hoffman-Andrews wrote:
I think the question of how to define entropy or CSPRNGs is a really good one, but I think the core of this ballot, changing a SHOULD to a SHALL, is too important to hold up on that complex question. How about a version which is strictly no more ambiguous that the current version:
"Effective April 1, 2016, CAs SHALL use a Certificate serialNumber greater than zero (0) that exhibits at least 64 bits of entropy."
Let's Encrypt would be happy to endorse such a ballot.
_______________________________________________
Public mailing list
Public at cabforum.org <mailto:Public at cabforum.org>
https://cabforum.org/mailman/listinfo/public
In order to make this rule a little clearer, we suggest changing it to:
"Effective XXXX, 2016, CAs SHALL use a Certificate serialNumber greater than zero (0) that exhibits at least 64 bits of entropy for all issued certificates, including CA certificates".
Since this discussion begun in February, I suppose the effective date will be adjusted accordingly to a date after the ballot and not "April 1, 2016".
Dimitris.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://cabforum.org/pipermail/public/attachments/20160422/d4f5cb9b/attachment.html
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4954 bytes
Desc: not available
Url : https://cabforum.org/pipermail/public/attachments/20160422/d4f5cb9b/attachment.bin
More information about the Public
mailing list