On Fri, Dec 29, 2017 at 1:24 AM, Jakob Bohm via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote:
> After looking at some real certificates both in the browser and on crt.sh, > I have some followup questions on certificate serial numbers: > > 1. Do all recently issued certificates have to contain at least 64 bits > of randomness in their serial numbers? > https://cabforum.org/wp-content/uploads/CA-Browser-Forum-BR-1.5.4.pdf Section 7.1 Effective September 30, 2016, CAs SHALL generate non‐sequential Certificate serial numbers greater than zero (0) containing at least 64 bits of output from a CSPRNG. > 2. Is it acceptable for a CA to satisfy this requirement by generating > random 64 bit serial numbers and checking if there is a certificate > with that random serial before using it? > https://tools.ietf.org/html/rfc5280#section-4.1.2.2 The serial number MUST be a positive integer assigned by the CA to each certificate. It MUST be unique for each certificate issued by a given CA (i.e., the issuer name and serial number identify a unique certificate). CAs MUST force the serialNumber to be a non-negative integer. > 3. Or would the elimination in #2 reduce the entropy of such serial > numbers to slightly less than 64 bits (since there are less than 2**64 > allowed values for all but the first such certificate)? > As the goal is to ensure robustness against collisions, particularly aided by predictability in the construction of the serial number, yes. > 4. If the answers are yes, no, yes, why doesn't cablint flag > certificates with serial numbers of less than or equal to 64 bits as > non-compliant? > Peter answered that already. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy