[cabfpub] Pre-Ballot 164 - Certificate Serial Number Entropy

Jacob Hoffman-Andrews jsha at letsencrypt.org
Tue May 3 20:46:58 UTC 2016

On Tue, May 3, 2016 at 12:49 PM, Ben Wilson <ben.wilson at digicert.com> wrote:

> What are your thoughts about language suggested on the Mozilla Dev
> Security Policy list under the topic, Undisclosed CA Certificates, “at
> least 64 bits in the certificate serial number SHALL be generated using a

There was also a sub-thread on this topic here on the CA/Browser Forum in
which I proposed similar language, along with a definition of CSPRNG as
requested by Tim:

> "CAs SHALL use a Certificate serialNumber greater than zero (0)
containing at least 64 bits of output from a CSPRNG"
> "CSPRNG: A random number generator intended for use in cryptographic
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20160503/6c59771c/attachment-0003.html>

More information about the Public mailing list