[cabfpub] Pre-Ballot 164 - Certificate Serial Number Entropy

Jacob Hoffman-Andrews jsha at letsencrypt.org
Tue May 3 13:46:58 MST 2016


On Tue, May 3, 2016 at 12:49 PM, Ben Wilson <ben.wilson at digicert.com> wrote:

> What are your thoughts about language suggested on the Mozilla Dev
> Security Policy list under the topic, Undisclosed CA Certificates, “at
> least 64 bits in the certificate serial number SHALL be generated using a
> CSPRNG”?
>

There was also a sub-thread on this topic here on the CA/Browser Forum in
which I proposed similar language, along with a definition of CSPRNG as
requested by Tim:

> "CAs SHALL use a Certificate serialNumber greater than zero (0)
containing at least 64 bits of output from a CSPRNG"
> "CSPRNG: A random number generator intended for use in cryptographic
system"
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://cabforum.org/pipermail/public/attachments/20160503/6c59771c/attachment.html 


More information about the Public mailing list