On Fri, Mar 8, 2019 at 6:50 PM Matthew Hardeman via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:
> I am well aware of the reason for the entropy in the certificate serial
> number. What I'm having trouble with is that there can be no dispute that
> two certificates with serial numbers off by one from each other, no matter
> how you wind up getting there, are in fact sequential serial numbers and
> that this would appear to be forbidden explicitly.
>
> It seems that in reality that your perspective calls upon the CA to act
> according to the underlying risk that the rule attempts to mitigate rather
> than abide the literal text. That seems a really odd way to construe a
> rule.
>
I think this is fundamentally an unhelpful way to think about and frame the
problem, but I think it's largely a result of not having to be a CA placed
in this position.
You're absolutely correct that two certificates, placed next to eachother,
could appear sequential. Someone might then make a claim that the CA has
violated the requirements. The CA can then respond by discussing how they
actually validate serial numbers, and the whole matter can be dismissed as
compliant.
You're fixating on the "rules lawyering" part, but that's not a remotely
productive framing. A CA that is doing the right thing can demonstrate how
they were doing it. A CA that is doing the wrong thing can't. That
'problem' you see is easily and rapidly resolved by such an explanation.
This framing is exactly why the ZLint side of things warns, rather than
errors - because it can arise in legitimate cases. If there's concern that
it's arising in illegitimate cases, a report is made, the CA investigates,
and the information shared, and we all move on. It's not that hard or
unreasonable :)
A CA is expected to be adversarially reading the BRs, and from that, either
highlighting concerns to m.d.s.p. and the CA/Browser Forum ("you COULD
interpret it like this") or taking steps to mitigate even under the most
adversarial reading. If and when an incident occurs, a CA that performed
such steps is in a far better place to explain the incident and the steps
taken. A CA that doesn't, and says "We didn't know", is more likely
indicative of a CA not adversarially reading or critically evaluating it.
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy
