[cabfpub] Pre-Ballot 164 - Certificate Serial Number Entropy
jsha at letsencrypt.org
Thu Apr 28 20:53:45 UTC 2016
On Fri, Apr 22, 2016 at 9:01 AM, Tim Hollebeek <THollebeek at trustwave.com>
> This is why I proposed and continue to support an actual definition. If
> people don’t like my definition, I’m open to improvements. I don’t think
> it should be too hard to come up with one that excludes the four examples
> Doug mentioned, and I think mine currently does.
I think we're unlikely to conclusively define entropy in a way that
auditors can reasonably measure. What we want to do here is rule out
solutions that are obviously wrong. How about this:
"CAs SHALL use a Certificate serialNumber greater than zero (0) containing
at least 64 bits of output from a CSPRNG"
"CSPRNG: A random number generator intended for use in cryptographic system"
This rules out things like GUID, which are easy to verify as not intended
for use in a cryptographic system
creating a cryptanalytic test for whether something qualifies as a CSPRNG.
That said, I still think it would be sufficient to continue to use
"entropy" without further definition, and if we can't settle on a good
definition soon, we should proceed with that approach.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Public