After looking at some real certificates both in the browser and on
crt.sh, I have some followup questions on certificate serial numbers:
1. Do all recently issued certificates have to contain at least 64 bits
of randomness in their serial numbers?
2. Is it acceptable for a CA to satisfy this requirement by generating
random 64 bit serial numbers and checking if there is a certificate
with that random serial before using it?
3. Or would the elimination in #2 reduce the entropy of such serial
numbers to slightly less than 64 bits (since there are less than 2**64
allowed values for all but the first such certificate)?
4. If the answers are yes, no, yes, why doesn't cablint flag
certificates with serial numbers of less than or equal to 64 bits as
non-compliant?
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy