[cabfpub] Pre-Ballot 164 - Certificate Serial Number Entropy

Tim Hollebeek THollebeek at trustwave.com
Mon May 23 15:08:07 UTC 2016

I’m actually more concerned about the random numbers in validation methods (without holding up removing any other method …) than in serial numbers, but while we’re fixing those, we might want to make sure we have good randomness everywhere.  It’s on virtually every security top ten list.

By doing it when it’s not an emergency, we also have the luxury of giving people as much time as they need to get this prioritized and through their processes …


From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On Behalf Of Andrew R. Whalley
Sent: Wednesday, May 18, 2016 8:53 PM
To: Doug Beattie
Cc: public at cabforum.org
Subject: Re: [cabfpub] Pre-Ballot 164 - Certificate Serial Number Entropy

I think it's mostly a precaution against future attacks against SHA-2.  I'd like us to act now mainly because we're thinking about it, and I'd much prefer to be 10 years too early...

On Thu, May 5, 2016 at 5:41 AM, Doug Beattie <doug.beattie at globalsign.com<mailto:doug.beattie at globalsign.com>> wrote:
What drove Ben's initial proposal and the long following debate to mandate at least 64 unpredictable bits?   I haven't seen any discussions of the issue we're solving, just technical approaches for adding randomness to the certificate content.

For SHA-1, sure, I understand this provides solid protection against preimage attacks, but is this necessary for SHA-2 algorithms?  It's a good idea, we should all be doing long serial numbers, but what's driving the need to mandate 64+ bit serial numbers and CSPRNG now?


-----Original Message-----
From: public-bounces at cabforum.org<mailto:public-bounces at cabforum.org> [mailto:public-bounces at cabforum.org<mailto:public-bounces at cabforum.org>] On Behalf Of Fotis Loukos
Sent: Wednesday, May 4, 2016 2:53 AM
To: Jacob Hoffman-Andrews <jsha at letsencrypt.org<mailto:jsha at letsencrypt.org>>
Cc: public at cabforum.org<mailto:public at cabforum.org>; Tim Hollebeek <thollebeek at trustwave.com<mailto:thollebeek at trustwave.com>>
Subject: Re: [cabfpub] Pre-Ballot 164 - Certificate Serial Number Entropy

There are hardware devices that use cryptographic hash functions in order to unbias the biased input by the RNG. However, a cryptographic hash function is not a CSPRNG.

I agree that the most common approach is to use the output from the true random source to seed a CSPRNG (as done for example by the linux kernel for the /dev/urandom device), however in the future true RNGs that are able to provide random bytes in high speed may be much more common.
Public mailing list
Public at cabforum.org<mailto:Public at cabforum.org>


This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is strictly prohibited. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20160523/dfedf92c/attachment-0003.html>

More information about the Public mailing list