[cabfpub] Pre-Ballot 164 - Certificate Serial Number Entropy

[Doug Beattie]

What drove Ben's initial proposal and the long following debate to mandate at least 64 unpredictable bits?   I haven't seen any discussions of the issue we're solving, just technical approaches for adding randomness to the certificate content.

For SHA-1, sure, I understand this provides solid protection against preimage attacks, but is this necessary for SHA-2 algorithms?  It's a good idea, we should all be doing long serial numbers, but what's driving the need to mandate 64+ bit serial numbers and CSPRNG now?  

Doug


-----Original Message-----
From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On Behalf Of Fotis Loukos
Sent: Wednesday, May 4, 2016 2:53 AM
To: Jacob Hoffman-Andrews <jsha at letsencrypt.org>
Cc: public at cabforum.org; Tim Hollebeek <thollebeek at trustwave.com>
Subject: Re: [cabfpub] Pre-Ballot 164 - Certificate Serial Number Entropy


There are hardware devices that use cryptographic hash functions in order to unbias the biased input by the RNG. However, a cryptographic hash function is not a CSPRNG.

I agree that the most common approach is to use the output from the true random source to seed a CSPRNG (as done for example by the linux kernel for the /dev/urandom device), however in the future true RNGs that are able to provide random bytes in high speed may be much more common.