[cabfpub] Pre-Ballot 164 - Certificate Serial Number Entropy

Bruce Morton bruce.morton at entrust.com
Fri Apr 22 08:14:49 MST 2016


I would think that July 1, 2016 would be a good starting point. Would be good to get feedback from any CAs whose product does not support this.

Bruce.

From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On Behalf Of Ben Wilson
Sent: Friday, April 22, 2016 10:43 AM
To: Dimitris Zacharopoulos <jimmy at it.auth.gr>; public at cabforum.org
Subject: Re: [cabfpub] Pre-Ballot 164 - Certificate Serial Number Entropy

I’d  like suggestions on an effective date.

From: public-bounces at cabforum.org<mailto:public-bounces at cabforum.org> [mailto:public-bounces at cabforum.org] On Behalf Of Dimitris Zacharopoulos
Sent: Friday, April 22, 2016 2:23 AM
To: public at cabforum.org<mailto:public at cabforum.org>
Subject: Re: [cabfpub] Pre-Ballot 164 - Certificate Serial Number Entropy

On 21/4/2016 4:07 πμ, Jacob Hoffman-Andrews wrote:
I think the question of how to define entropy or CSPRNGs is a really good one, but I think the core of this ballot, changing a SHOULD to a SHALL, is too important to hold up on that complex question. How about a version which is strictly no more ambiguous that the current  version:

"Effective April 1, 2016, CAs SHALL use a Certificate serialNumber greater than zero (0) that exhibits at least 64 bits of entropy."

Let's Encrypt would be happy to endorse such a ballot.



_______________________________________________

Public mailing list

Public at cabforum.org<mailto:Public at cabforum.org>

https://cabforum.org/mailman/listinfo/public

In order to make this rule a little clearer, we suggest changing it to:

"Effective XXXX, 2016, CAs SHALL use a Certificate serialNumber greater than zero (0) that exhibits at least 64 bits of entropy for all issued certificates, including CA certificates".

Since this discussion begun in February, I suppose the effective date will be adjusted accordingly to a date after the ballot and not "April 1, 2016".


Dimitris.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://cabforum.org/pipermail/public/attachments/20160422/e0c8aaf5/attachment-0001.html 


More information about the Public mailing list