[cabfpub] Pre-Ballot 164 - Certificate Serial Number Entropy

Kurt Roeckx kurt at roeckx.be
Tue May 3 17:53:52 UTC 2016

On Tue, May 03, 2016 at 04:16:17PM +0300, Fotis Loukos wrote:
> On 04/28/2016 11:53 PM, Jacob Hoffman-Andrews wrote:
> > On Fri, Apr 22, 2016 at 9:01 AM, Tim Hollebeek <THollebeek at trustwave.com
> > <mailto:THollebeek at trustwave.com>> wrote:
> > 
> >     This is why I proposed and continue to support an actual
> >     definition.  If people don't like my definition, I'm open to
> >     improvements.  I don't think it should be too hard to come up with
> >     one that excludes the four examples Doug mentioned, and I think mine
> >     currently does.
> > 
> > 
> > I think we're unlikely to conclusively define entropy in a way that
> > auditors can reasonably measure. What we want to do here is rule out
> > solutions that are obviously wrong. How about this:
> > 
> > "CAs SHALL use a Certificate serialNumber greater than zero (0)
> > containing at least 64 bits of output from a CSPRNG"
> > 
> > "CSPRNG: A random number generator intended for use in cryptographic system"
> Wouldn't this prohibit the usage of a true RNG, such as a Geiger-Muller
> tube detecting radioactive decay, measurement of cosmic background
> radiation or any quantum phenomena? I know that these RNGs aren't that
> popular, but why limit them?

With any hardware RNG, you will need at least a whitening function
to make that useful, otherwise it's too much biased.  You just use
your CSPRNG as that whitening function.

You might want to calculate something like the Min Entropy so that
you have a good estimate of how much data you need to feed into it
before you extract anything from it.

But that's all really up to the hardware and/or software
designers, and not something we should specify.  We just want
something that's unpredictable.


More information about the Public mailing list