On Fri, Mar 8, 2019 at 6:50 PM Matthew Hardeman via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote:
> I am well aware of the reason for the entropy in the certificate serial > number. What I'm having trouble with is that there can be no dispute that > two certificates with serial numbers off by one from each other, no matter > how you wind up getting there, are in fact sequential serial numbers and > that this would appear to be forbidden explicitly. > > It seems that in reality that your perspective calls upon the CA to act > according to the underlying risk that the rule attempts to mitigate rather > than abide the literal text. That seems a really odd way to construe a > rule. > I think this is fundamentally an unhelpful way to think about and frame the problem, but I think it's largely a result of not having to be a CA placed in this position. You're absolutely correct that two certificates, placed next to eachother, could appear sequential. Someone might then make a claim that the CA has violated the requirements. The CA can then respond by discussing how they actually validate serial numbers, and the whole matter can be dismissed as compliant. You're fixating on the "rules lawyering" part, but that's not a remotely productive framing. A CA that is doing the right thing can demonstrate how they were doing it. A CA that is doing the wrong thing can't. That 'problem' you see is easily and rapidly resolved by such an explanation. This framing is exactly why the ZLint side of things warns, rather than errors - because it can arise in legitimate cases. If there's concern that it's arising in illegitimate cases, a report is made, the CA investigates, and the information shared, and we all move on. It's not that hard or unreasonable :) A CA is expected to be adversarially reading the BRs, and from that, either highlighting concerns to m.d.s.p. and the CA/Browser Forum ("you COULD interpret it like this") or taking steps to mitigate even under the most adversarial reading. If and when an incident occurs, a CA that performed such steps is in a far better place to explain the incident and the steps taken. A CA that doesn't, and says "We didn't know", is more likely indicative of a CA not adversarially reading or critically evaluating it. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy