[cabfpub] Pre-Ballot 164 - Certificate Serial Number Entropy
THollebeek at trustwave.com
Thu Apr 28 21:04:12 UTC 2016
Other standards have used “entropy”, so I have quite a bit of experience hearing amusing anecdotes about conversations with auditors about Shannon entropy. The reality is that the result of those conversations is rarely productive or reaches the right result. “Unpredictable” is better, but still quite subjective.
“intended for use in a cryptographic system” is something I’d be willing to support, though “intent” is perhaps harder to measure than “uses cryptographic primitives”.
Also, it occurred to me since I wrote my definition that we do not want to preclude use of hardware sources of randomness. But that should be any easy fix.
From: Jacob Hoffman-Andrews [mailto:jsha at letsencrypt.org]
Sent: Thursday, April 28, 2016 4:54 PM
To: Tim Hollebeek
Cc: Doug Beattie; Bruce Morton; Ben Wilson; Dimitris Zacharopoulos; public at cabforum.org
Subject: Re: [cabfpub] Pre-Ballot 164 - Certificate Serial Number Entropy
On Fri, Apr 22, 2016 at 9:01 AM, Tim Hollebeek <THollebeek at trustwave.com<mailto:THollebeek at trustwave.com>> wrote:
This is why I proposed and continue to support an actual definition. If people don’t like my definition, I’m open to improvements. I don’t think it should be too hard to come up with one that excludes the four examples Doug mentioned, and I think mine currently does.
I think we're unlikely to conclusively define entropy in a way that auditors can reasonably measure. What we want to do here is rule out solutions that are obviously wrong. How about this:
"CAs SHALL use a Certificate serialNumber greater than zero (0) containing at least 64 bits of output from a CSPRNG"
"CSPRNG: A random number generator intended for use in cryptographic system"
This rules out things like GUID, which are easy to verify as not intended for use in a cryptographic system<http://scanmail.trustwave.com/?c=4062&d=2vii11tt_KnxUNNGioK47mD9hsLS6riEDPw1uhe4Lw&s=5&u=https%3a%2f%2fblogs%2emsdn%2emicrosoft%2ecom%2foldnewthing%2f20120523-00%2f%3fp%3d7553>, without creating a cryptanalytic test for whether something qualifies as a CSPRNG.
That said, I still think it would be sufficient to continue to use "entropy" without further definition, and if we can't settle on a good definition soon, we should proceed with that approach.
This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is strictly prohibited. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Public