[cabfpub] Pre-Ballot 164 - Certificate Serial Number Entropy
Ben Wilson
ben.wilson at digicert.com
Thu Apr 14 19:59:30 UTC 2016
Man,
Have you had a chance to do further research on the capabilities of your
system? Our CA issues certificates with 32 hexadecimal characters for the
serial number. There are 4 bits of entropy for each hexadecimal character.
Therefore, our serial numbers have 128 bits of entropy and 16*32= 512
unpredictable bits. An 8-hexadecimal character serial number would have 32
bits of entropy and 128 unpredictable bits. A 20-bit entropy would be equal
to 5 hexadecimal characters, or 80 unpredictable bits, so this seems like
this is a downgrade to go to 64 unpredictable bits. Am I right?
Ben
From: Man Ho (Certizen) [mailto:manho at certizen.com]
Sent: Wednesday, March 23, 2016 12:27 AM
To: Ben Wilson <ben.wilson at digicert.com>; public at cabforum.org
Subject: Re: [cabfpub] Pre-Ballot 164 - Certificate Serial Number Entropy
Hi all,
Is the meaning of "at least 64 unpredictable bits" setting the same or a
higher requirement than "at least 20 bits of entropy" ? I'm not quite sure
whether our certificate generation software has this setting in itself.
Cheers
Man
On 3/1/2016 12:21 AM, Ben Wilson wrote:
REPLACE
"CAs SHOULD generate non-sequential Certificate serial numbers that exhibit
at least 20 bits of entropy"
WITH
"Effective April 1, 2016, CAs SHALL use a Certificate serialNumber greater
than zero (0) that contains at least 64 unpredictable bits."
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20160414/d8edc3d3/attachment-0002.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4954 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/public/attachments/20160414/d8edc3d3/attachment.p7s>
More information about the Public
mailing list