tomasshredder--- via dev-security-policy <dev-security-policy@lists.mozilla.org> writes:
>We still get asked by customers to implement sequential serial numbers from >time to time, but it's getting more and more rare. Another reason for using random data, from the point of view of a software toolkit provider, is that it's the only thing you can guarantee is unique in a cert since there's no coordination between users over namespace use. A user can configure their software or CA to have any name they like, and for small- scale use that's often the case, "Web CA" or something similar. By providing an unlikely-to-be-duplicated random value as the serial number, you don't run into problems with Web CA #1's certs clashing with Web CA #2's certs. In terms of sequential numbers, if for some reason the current serial number isn't written to permanent storage correctly, or there's a system failure and when things are restored the record of the last-used serial number is lost or corrupted, you're in trouble. So overall it just made more sense to use random values. Peter. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
