> -----Original Message----- > From: dev-security-policy [mailto:dev-security-policy- > bounces+tim.hollebeek=digicert....@lists.mozilla.org] On Behalf Of Paul > Kehrer via dev-security-policy > Sent: Friday, December 29, 2017 12:46 PM > To: mozilla-dev-security-pol...@lists.mozilla.org > Subject: Re: Serial number length > > On December 29, 2017 at 12:27:35 PM, David E. Ross via dev-security-policy ( > dev-security-policy@lists.mozilla.org) wrote: > > On 12/28/2017 10:33 PM, Peter Bowen wrote: > > On Thu, Dec 28, 2017 at 10:24 PM, Jakob Bohm via dev-security-policy > > <dev-security-policy@lists.mozilla.org> wrote: > >> After looking at some real certificates both in the browser and on > crt.sh, I > >> have some followup questions on certificate serial numbers: > >> > >> 4. If the answers are yes, no, yes, why doesn't cablint flag > >> certificates with serial numbers of less than or equal to 64 bits as > >> non-compliant? > > > > I can answer #4 -- your trusty cablint maintainer has fallen behind > > and hasn't added lints for recent ballots. > > > > I know this would require changing not only software but also the format of > certificates. However, why not use UUID version 1? UUIDs (Universally Unique > IDentifiers) require no central registry. UUIDs are specified in RFC 4122. > > Modern X509 uses serial number as both a source of randomness and a unique > identifier. Unfortunately, trying to solve for uniqueness doesn't absolve you > from needing quality randomness. The reason for the "at least 64-bits of > random" requirement is to add entropy to the tbsCertificate structure to make > hash collision attacks more difficult. UUIDv1 is (almost) entirely predictable > and thus not suitable for this. And if you have a good random source you might > as well just generate a long random serial which has a vanishingly small > probability of collision.
The baseline requirements don't just require 64 bits of good randomness. They specifically require the use of a CSPRNG ("A random number generator intended for use in cryptographic system", the grammar error is in the BRs and the original ballot 164). So things like UUIDs and MACs are clearly not compliant on their own, and count for zero bits, regardless of how unpredictable they may or may not be. In fact, I noticed last month that there's no requirement that random numbers used for domain control validation come from a CSPRNG. I intend to fix that this month ... maybe I'll fix the grammar error while I'm at it. -Tim
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy