On 2016-04-29 09:42, Nick Lamb wrote:

I'm sure Rob can give a more technical answer, but my understanding is that 
crt.sh doesn't (and probably can't) detect that individual certificates have 
enough entropy, instead it flags certificates based on the length of the serial 
numbers. So it's neither sufficient nor necessary that every certificate from 
an issuer should pass the test in crt.sh, but it is very suspicious if many or 
all certificates from a particular issuer fail this test.

I think it's the output of certlint that gives that. My understanding is that it gives that warning when the serial is not long enough. If it's 56 bit instead of 64 bit, there is only a 1/256 chance that that certificate has 64 bit random bits. If all certificates only have 56 bit, the chance that it has 64 unpredictable bits approaches 0 very fast.

The current BRs talk about 20 bit entropy instead. You really need to check that over multiple certificates and can then calculate something like the Shannon entropy or min entropy.


Kurt

_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Reply via email to