On Mon, Mar 11, 2019 at 1:18 PM Buschart, Rufus via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote:
> Dear mdsp! > > I really like reading this discussion about 64 vs. 63 bits and how to read > the BRGs as it shows a lot of passion by all of us in the PKI community. > Never the less, in the discussion, I miss one interesting aspect. The BRGs > not only speak about 64 bits as output from a CSPRNG but also about serial > numbers being "non-sequential". But nowhere the BRGs define the exact > meaning of "non-sequential". I always read this as serial numbers being > totally random, but I know there is at least one CA out there that > constructs its serial numbers like this: > > serialNumber = timeInMS() + random(64) + 'constant_suffix' > > Serial numbers constructed like this are strict monotonously rising but > never the less contain 64 bits of random data. Do we consider those as > "non-sequential"? We can't even go by the definition in the dictionary, > because according to that (at least the one I consulted), every list of > numbers is 'sequential', as one number comes after another. > Oof, With the requirement to be a positive integer greater than zero, you can think of the serial number space as the one of /natural numbers/ (or, because zero is excluded, /whole numbers/) whose DER encoding is less than or equal to twenty bytes. The sequential requirement is 'meant' to apply to serial numbers being constructed in order of that sequence of whole numbers - that is, 1, 2, 3 is sequential in the set of whole numbers, although 1, 3 would be out of sequence with respect to the set of valid whole number serials. If I understand the question correctly, you're describing a situation in which the serial number construct follows a strict ordering, and thus itself forms a sequence of whole numbers which maintain sequential order of the set of all valid whole numbers, but which does not include each whole number, provided that no two certificates are issued in the same millisecond. If two certificates are issued in the same millisecond, the 64-bits of entropy create a probability that the certificates will not appear in sequential (monotonically increasing) order. Is that correct? Put differently, the question is whether or not the algorithm, as specified, needs to consider two certificates issued at different times (and, presuming time is linear and increasing, so too will the serial numbers), or whether it can/should consider certificates issued at the same time (and thus be probabilistically out of sequential ordering) Just making sure I've phrased and framed it correctly. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
