[cabfpub] Pre-Ballot 164 - Certificate Serial Number Entropy
Richard Barnes
rbarnes at mozilla.com
Fri Feb 26 23:26:29 UTC 2016
On Fri, Feb 26, 2016 at 6:03 PM, Ryan Sleevi <sleevi at google.com> wrote:
> Is there a reason for the change from "entropy" to "unpredictable bits"
>
> Would you be opposed to "64 bits of random data from a cryptographically
> strong random number generator"?
>
> The concern I have with the language change is that while "entropy" is
> arguably less ambiguous, I fear "unpredictable bits" will create a
> situation where a CA says "No one knows our [deterministic] algorithm,
> therefore it's unpredictable"
>
> I admit, I'm not terribly thrilled with my rewrite either, because I don't
> think it should be required to use an RNG on an HSM, for example (that's
> arguably overkill), but I do want to make sure that the source of entropy
> is cryptographically strong (thus ruling out Microsoft's GUIDs, crappy
> RNGs, etc)
>
I would prefer this proposal. It provides a specific thing that can be
verified (whereas "entropy" and "unpredictable" are vague statistical
properties).
--Richard
>
> On Fri, Feb 26, 2016 at 1:49 PM, Ben Wilson <ben.wilson at digicert.com>
> wrote:
>
>> *For discussion:*
>>
>> *Pre-Ballot 164 - Certificate Serial Number Entropy*
>>
>> -- Motion Begins --
>>
>> In Section 7.1 of the Baseline Requirements,
>>
>> REPLACE
>>
>> "CAs SHOULD generate non-sequential Certificate serial numbers that
>> exhibit at least 20 bits of entropy"
>>
>> WITH
>>
>> "Effective April 1, 2016, CAs SHALL use a Certificate serialNumber
>> greater than zero (0) that contains at least 64 unpredictable bits."
>>
>> -- Motion Ends --
>>
>>
>>
>> _______________________________________________
>> Public mailing list
>> Public at cabforum.org
>> https://cabforum.org/mailman/listinfo/public
>>
>>
>
> _______________________________________________
> Public mailing list
> Public at cabforum.org
> https://cabforum.org/mailman/listinfo/public
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20160226/b8598cce/attachment-0003.html>
More information about the Public
mailing list