[cabfpub] Pre-Ballot 164 - Certificate Serial Number Entropy

Tue Mar 22 01:31:21 UTC 2016

Ben,

I'm curious what next steps you'd like to see happen for this. It sounds
like the best next steps to get the response would be to force a ballot,
and see what the objections are, since the response rate to the pre-ballot
seems light.

On Mon, Feb 29, 2016 at 8:21 AM, Ben Wilson <ben.wilson at digicert.com> wrote:

> April 1 is just a placeholder -  because this is a pre-ballot, the actual
> date will  depend on the feedback  we receive.  I think nearly all CA
> systems already do this.  Who doesn’t do this yet?  That’s what  we need to
> find out.
>
>
>
> *From:* public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] *On
> Behalf Of *kirk_hall at trendmicro.com
> *Sent:* Saturday, February 27, 2016 11:31 AM
> *To:* CABFPub <public at cabforum.org>
> *Subject:* Re: [cabfpub] Pre-Ballot 164 - Certificate Serial Number
> Entropy
>
>
>
> For clarity, I pasted in current BR 7.1 below.  Later sections of Sec. 7.1
> refer separately to Root Certificates, Subordinate CA Certificates, and
> Subscriber Certificates (Sec. 7.1.2.1 through 7.1.2.3).  So this proposal
> would apply to all three categories of certificates, correct?
>
>
>
> If we adopt this, instead of starting “Effective April 1, 2016 ***”  maybe
> we should say “For certificates generated on or after April 1, 2016 ***” to
> make it clear that certificates generated before that date do not need to
> be reissued.  Also, is April 1 a little close for people to change their
> systems?
>
>
>
>
>
> *7. CERTIFICATE, CRL, AND OCSP PROFILES*
>
>
>
> *7.1. CERTIFICATE PROFILE*
>
>
>
> The CA SHALL meet the technical requirements set forth in Section 2.2 –
> Publication of Information, Section 6.1.5– Key Sizes, and Section 6.1.6 –
> Public Key Parameters Generation and Quality Checking.  CAs SHOULD generate
> non‐sequential Certificate serial numbers that exhibit at least 20 bits of
> entropy.
>
>
>
> *From:* public-bounces at cabforum.org [mailto:public-bounces at cabforum.org
> <public-bounces at cabforum.org>] *On Behalf Of *Ben Wilson
> *Sent:* Friday, February 26, 2016 1:50 PM
> *To:* CABFPub
> *Subject:* [cabfpub] Pre-Ballot 164 - Certificate Serial Number Entropy
>
>
>
> *For discussion:*
>
> *Pre-Ballot 164 - Certificate Serial Number Entropy*
>
> -- Motion Begins --
>
> In Section 7.1 of the Baseline Requirements,
>
> REPLACE
>
> "CAs SHOULD generate non-sequential Certificate serial numbers that
> exhibit at least 20 bits of entropy"
>
> WITH
>
> "Effective April 1, 2016, CAs SHALL use a Certificate serialNumber greater
> than zero (0) that contains at least 64 unpredictable bits."
>
> -- Motion Ends --
>
>
>
>
>
> TREND MICRO EMAIL NOTICE
>
> The information contained in this email and any attachments is confidential
>
> and may be subject to copyright or other intellectual property protection.
>
> If you are not the intended recipient, you are not authorized to use or
>
> disclose this information, and we request that you notify us by reply mail or
>
> telephone and delete the original message from your mail system.
>
>
>
> _______________________________________________
> Public mailing list
> Public at cabforum.org
> https://cabforum.org/mailman/listinfo/public
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20160321/e1d15790/attachment-0002.html>