Re: Serial number length

2018-01-09 Thread Gervase Markham via dev-security-policy
Hi, On 29/12/17 06:24, Jakob Bohm wrote: > 1. Do all recently issued certificates have to contain at least 64 bits >   of randomness in their serial numbers? Yes. (References given by others.) > 2. Is it acceptable for a CA to satisfy this requirement by generating >   random 64 bit serial

RE: Serial number length

2018-01-02 Thread Tim Hollebeek via dev-security-policy
@lists.mozilla.org > Subject: Re: Serial number length > > On December 29, 2017 at 12:27:35 PM, David E. Ross via dev-security-policy ( > dev-security-policy@lists.mozilla.org) wrote: > > On 12/28/2017 10:33 PM, Peter Bowen wrote: > > On Thu, Dec 28, 2017 at 10:24 PM, Jakob Bohm

Re: Serial number length

2018-01-01 Thread Jakob Bohm via dev-security-policy
I was exploring what legitimate reasons/excuses there could be for a CA to have serial numbers that happen to be 64 bits long, not good ways to generate serial numbers. The overall context is to propose automated tests to be run against CT data or other certificates to detect CAs that fail to

Re: Serial number length

2017-12-29 Thread Paul Kehrer via dev-security-policy
On December 29, 2017 at 12:27:35 PM, David E. Ross via dev-security-policy ( dev-security-policy@lists.mozilla.org) wrote: On 12/28/2017 10:33 PM, Peter Bowen wrote: > On Thu, Dec 28, 2017 at 10:24 PM, Jakob Bohm via dev-security-policy > wrote: >> After

Re: Serial number length

2017-12-29 Thread David E. Ross via dev-security-policy
On 12/28/2017 10:33 PM, Peter Bowen wrote: > On Thu, Dec 28, 2017 at 10:24 PM, Jakob Bohm via dev-security-policy > wrote: >> After looking at some real certificates both in the browser and on crt.sh, I >> have some followup questions on certificate serial

Re: Serial number length

2017-12-29 Thread Ryan Sleevi via dev-security-policy
Or just generate longer serials with random. Which is much simpler. On Fri, Dec 29, 2017 at 11:57 AM, Jakob Bohm via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > On 29/12/2017 13:55, Nick Lamb wrote: > >> On Fri, 29 Dec 2017 07:24:31 +0100 >> Jakob Bohm via

Re: Serial number length

2017-12-29 Thread Jakob Bohm via dev-security-policy
On 29/12/2017 13:55, Nick Lamb wrote: On Fri, 29 Dec 2017 07:24:31 +0100 Jakob Bohm via dev-security-policy wrote: 3. Or would the elimination in #2 reduce the entropy of such serial numbers to slightly less than 64 bits (since there are less than

Re: Serial number length

2017-12-29 Thread Ryan Sleevi via dev-security-policy
On Fri, Dec 29, 2017 at 1:24 AM, Jakob Bohm via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > After looking at some real certificates both in the browser and on crt.sh, > I have some followup questions on certificate serial numbers: > > 1. Do all recently issued

Re: Serial number length

2017-12-29 Thread Nick Lamb via dev-security-policy
On Fri, 29 Dec 2017 07:24:31 +0100 Jakob Bohm via dev-security-policy wrote: > 3. Or would the elimination in #2 reduce the entropy of such serial >numbers to slightly less than 64 bits (since there are less than > 2**64 allowed values for all but the

Re: Serial number length

2017-12-28 Thread Peter Bowen via dev-security-policy
On Thu, Dec 28, 2017 at 10:24 PM, Jakob Bohm via dev-security-policy wrote: > After looking at some real certificates both in the browser and on crt.sh, I > have some followup questions on certificate serial numbers: > > 4. If the answers are yes, no, yes,