[cabfpub] Pre-Ballot 164 - Certificate Serial Number Entropy

Ben Wilson ben.wilson at digicert.com
Mon Feb 29 16:21:26 UTC 2016


April 1 is just a placeholder -  because this is a pre-ballot, the actual
date will  depend on the feedback  we receive.  I think nearly all CA
systems already do this.  Who doesn’t do this yet?  That’s what  we need
to find out.



From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On
Behalf Of kirk_hall at trendmicro.com
Sent: Saturday, February 27, 2016 11:31 AM
To: CABFPub <public at cabforum.org>
Subject: Re: [cabfpub] Pre-Ballot 164 - Certificate Serial Number Entropy



For clarity, I pasted in current BR 7.1 below.  Later sections of Sec. 7.1
refer separately to Root Certificates, Subordinate CA Certificates, and
Subscriber Certificates (Sec. 7.1.2.1 through 7.1.2.3).  So this proposal
would apply to all three categories of certificates, correct?



If we adopt this, instead of starting “Effective April 1, 2016 ***”  maybe
we should say “For certificates generated on or after April 1, 2016 ***”
to make it clear that certificates generated before that date do not need to
be reissued.  Also, is April 1 a little close for people to change their
systems?





7. CERTIFICATE, CRL, AND OCSP PROFILES



7.1. CERTIFICATE PROFILE



The CA SHALL meet the technical requirements set forth in Section 2.2 -
Publication of Information, Section 6.1.5- Key Sizes, and Section 6.1.6 -
Public Key Parameters Generation and Quality Checking.  CAs SHOULD generate
non‐sequential Certificate serial numbers that exhibit at least 20 bits of
entropy.



From: public-bounces at cabforum.org <mailto:public-bounces at cabforum.org>
[mailto:public-bounces at cabforum.org] On Behalf Of Ben Wilson
Sent: Friday, February 26, 2016 1:50 PM
To: CABFPub
Subject: [cabfpub] Pre-Ballot 164 - Certificate Serial Number Entropy



For discussion:

Pre-Ballot 164 - Certificate Serial Number Entropy

-- Motion Begins --

In Section 7.1 of the Baseline Requirements,

REPLACE

"CAs SHOULD generate non-sequential Certificate serial numbers that exhibit
at least 20 bits of entropy"

WITH

"Effective April 1, 2016, CAs SHALL use a Certificate serialNumber greater
than zero (0) that contains at least 64 unpredictable bits."

-- Motion Ends --






TREND MICRO EMAIL NOTICE
The information contained in this email and any attachments is confidential
and may be subject to copyright or other intellectual property protection.
If you are not the intended recipient, you are not authorized to use or
disclose this information, and we request that you notify us by reply mail
or
telephone and delete the original message from your mail system.



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20160229/d125ae4c/attachment-0003.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4954 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/public/attachments/20160229/d125ae4c/attachment-0001.p7s>


More information about the Public mailing list