Mike Kushner via dev-security-policy <dev-security-policy@lists.mozilla.org> writes:
>EJBCA was possible the first (certainly one of the first) CA products to use >random serial numbers. Random serial numbers have been in use for a long, long time, principally to hide the number of certs a CA was (or wasn't) issuing. Here's the first one that came up in my collection, from twenty-five years ago: 0 551: SEQUENCE { 4 400: SEQUENCE { 8 9: INTEGER 00 A0 98 0F FC 30 AC A1 02 19 13: SEQUENCE { 21 9: OBJECT IDENTIFIER md5WithRSAEncryption (1 2 840 113549 1 1 4) 32 0: NULL : } [...] 81 43: SET { 83 41: SEQUENCE { 85 3: OBJECT IDENTIFIER organizationalUnitName (2 5 4 11) 90 34: PrintableString 'A Free Internet and SET Class 1 CA' : } : } : } 126 26: SEQUENCE { 128 11: UTCTime '9609010000Z' : Error: Time is encoded incorrectly. RFC 3280 (2002) explicitly added handling for random data as serial numbers: Given the uniqueness requirements above, serial numbers can be expected to contain long integers. Certificate users MUST be able to handle serialNumber values up to 20 octets. (20 bytes being a SHA-1 hash, which was the fashion at the time). Peter. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy