[cabfpub] Pre-Ballot 164 - Certificate Serial Number Entropy
Andrew R. Whalley
awhalley at google.com
Wed May 18 17:53:12 MST 2016
I think it's mostly a precaution against future attacks against SHA-2. I'd
like us to act now mainly because we're thinking about it, and I'd much
prefer to be 10 years too early...
On Thu, May 5, 2016 at 5:41 AM, Doug Beattie <doug.beattie at globalsign.com>
> What drove Ben's initial proposal and the long following debate to mandate
> at least 64 unpredictable bits? I haven't seen any discussions of the
> issue we're solving, just technical approaches for adding randomness to the
> certificate content.
> For SHA-1, sure, I understand this provides solid protection against
> preimage attacks, but is this necessary for SHA-2 algorithms? It's a good
> idea, we should all be doing long serial numbers, but what's driving the
> need to mandate 64+ bit serial numbers and CSPRNG now?
> -----Original Message-----
> From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On
> Behalf Of Fotis Loukos
> Sent: Wednesday, May 4, 2016 2:53 AM
> To: Jacob Hoffman-Andrews <jsha at letsencrypt.org>
> Cc: public at cabforum.org; Tim Hollebeek <thollebeek at trustwave.com>
> Subject: Re: [cabfpub] Pre-Ballot 164 - Certificate Serial Number Entropy
> There are hardware devices that use cryptographic hash functions in order
> to unbias the biased input by the RNG. However, a cryptographic hash
> function is not a CSPRNG.
> I agree that the most common approach is to use the output from the true
> random source to seed a CSPRNG (as done for example by the linux kernel for
> the /dev/urandom device), however in the future true RNGs that are able to
> provide random bytes in high speed may be much more common.
> Public mailing list
> Public at cabforum.org
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Public