[cabfpub] Pre-Ballot 164 - Certificate Serial Number Entropy
richard.smith at comodo.com
Thu Apr 28 20:15:34 UTC 2016
I do think this brings up a good point though. This has come up before
under other ballots requiring code changes to CA core systems. I think
that any change requiring such code changes should have a minimum lead
time of 6 months from passage of the ballot before becoming mandatory,
unless it is deemed to be a security threat sufficient to require more
immediate action. Admittedly I do not have the technical expertise to
know if this is such a case.
On 4/28/2016 11:07 AM, Ryan Sleevi wrote:
> On Thu, Apr 28, 2016 at 5:16 AM, Eneli Kirme <Eneli.Kirme at sk.ee
> <mailto:Eneli.Kirme at sk.ee>> wrote:
> The current requirement was part of root program conditions
> already before first version of BR-s were published and could be
> taken as a requirement while developing or purchasing the CA
> Actually, at the time the BRs were published, the requirement was 64
> bits. The BRs were looser (to 20 bits) than what Microsoft was requiring.
> As the vendor claimed compliance, we believe to be compliant.
> Changing to 64 bits may or may not make a difference - we have to
> check with the vendor. Adding some other restrictions on the types
> of acceptable RNGs is another change in requirements that may or
> may not make a difference.
> We also have to check with the auditors about what evidence they
> would like to see to believe that long enough seemingly random
> number comes from an acceptable source.
> But the question is more general - to which level you expect a CA
> to have control over the software it is using and to which level
> auditors should have access to it?
> The expectation is that all CAs will be following the latest-published
> BRs, per Section 2.2 of the BRs, specifically:
> [Name of CA] conforms to the current version of the Baseline
> Requirements for the Issuance and Management of Publicly-Trusted
> Certificates published at http://www.cabforum.org. In the event of any
> inconsistency between this document and those Requirements, those
> Requirements take precedence over this document.
> To the extent a given CA has concerns about the BRs, such as the
> timing of the deployment of updated software, that's useful
> information to bring forward during the discussion of the proposed
> changes, and may inform the voting on the ballot. But once a ballot
> has passed, the expectation is that the CA will adopt it operationally
> "immediately", even if the audit criteria for it is developed, and the
> audit expectation of compliance is not enforced until the audit
> criteria are adopted.
> This was discussed during the Scottsdale F2F as understanding when
> ballots come into effect - when the consensus about the understanding
> that the above clause represents an expectation to adopt immediately.
> That naturally follows that CAs should be prepared to adopt the
> Ballots as they're published, or their effective date, or to
> understand what challenges might exist to prevent that.
> That said, if there's concern about timing, arguably it's useful to
> know concretely what the timing is.
> Public mailing list
> Public at cabforum.org
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Public