Mike Kushner via dev-security-policy <dev-security-policy@lists.mozilla.org>
writes:
>EJBCA was possible the first (certainly one of the first) CA products to use
>random serial numbers.
Random serial numbers have been in use for a long, long time, principally to
hide the number of certs a CA was (or wasn't) issuing. Here's the first one
that came up in my collection, from twenty-five years ago:
0 551: SEQUENCE {
4 400: SEQUENCE {
8 9: INTEGER 00 A0 98 0F FC 30 AC A1 02
19 13: SEQUENCE {
21 9: OBJECT IDENTIFIER md5WithRSAEncryption (1 2 840 113549 1 1 4)
32 0: NULL
: }
[...]
81 43: SET {
83 41: SEQUENCE {
85 3: OBJECT IDENTIFIER organizationalUnitName (2 5 4 11)
90 34: PrintableString 'A Free Internet and SET Class 1 CA'
: }
: }
: }
126 26: SEQUENCE {
128 11: UTCTime '9609010000Z'
: Error: Time is encoded incorrectly.
RFC 3280 (2002) explicitly added handling for random data as serial numbers:
Given the uniqueness requirements above, serial numbers can be
expected to contain long integers. Certificate users MUST be able to
handle serialNumber values up to 20 octets.
(20 bytes being a SHA-1 hash, which was the fashion at the time).
Peter.
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy
