> Le 18 août 2017 à 15:18, Mark H. Wood a écrit :
>
> On Thu, Aug 17, 2017 at 03:29:56PM +, Erwann Abalea via openssl-users
> wrote:
>> The BR are for public CAs, not private CAs; even if some of those
>> requirements are considered « good practice » (the 64 bits out of a CSPRNG
>> is suc
On Thu, Aug 17, 2017 at 03:29:56PM +, Erwann Abalea via openssl-users wrote:
> The BR are for public CAs, not private CAs; even if some of those
> requirements are considered « good practice » (the 64 bits out of a CSPRNG is
> such a req), they cannot be forced on private CAs.
> And unless so
Erwann,
thank you for your response.
On 08/17/2017 11:29 AM, Erwann Abalea via openssl-users wrote:
Bonjour,
Le 17 août 2017 à 17:10, Robert Moskowitz a écrit :
On 08/17/2017 10:50 AM, Salz, Rich via openssl-users wrote:
And RFC 5280, which is still the standard, says serial# must be <=
Bonjour,
> Le 17 août 2017 à 17:10, Robert Moskowitz a écrit :
>
>
>
> On 08/17/2017 10:50 AM, Salz, Rich via openssl-users wrote:
>> And RFC 5280, which is still the standard, says serial# must be <= 20 bytes.
>> Which means, you want to make sure the high bit is off, else the DER
>> encod
On 08/17/2017 10:49 AM, Karl Denninger wrote:
On 8/17/2017 09:40, Robert Moskowitz wrote:
I have been researching serial number in cert based on Jakob's comment:
"- Serial numbers are *exactly* 20 bytes (153 to 159 bits) both as
standalone
numbers and as DER-encoded numbers. Note that th
On 08/17/2017 10:50 AM, Salz, Rich via openssl-users wrote:
And RFC 5280, which is still the standard, says serial# must be <= 20 bytes.
Which means, you want to make sure the high bit is off, else the DER encoding will
make it 21 bytes.
So the new –rand_serial flag I am adding to the CA co
On 8/17/2017 09:40, Robert Moskowitz wrote:
> I have been researching serial number in cert based on Jakob's comment:
>
> "- Serial numbers are *exactly* 20 bytes (153 to 159 bits) both as
> standalone
> numbers and as DER-encoded numbers. Note that this is not the
> default in
> the openssl c
And RFC 5280, which is still the standard, says serial# must be <= 20 bytes.
Which means, you want to make sure the high bit is off, else the DER encoding
will make it 21 bytes.
So the new –rand_serial flag I am adding to the CA command will make call
RAND_bytes to get 18 bytes.
On 8/17/17,
https://cabforum.org/2016/07/08/ballot-164/
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
I have been researching serial number in cert based on Jakob's comment:
"- Serial numbers are *exactly* 20 bytes (153 to 159 bits) both as
standalone
numbers and as DER-encoded numbers. Note that this is not the default in
the openssl ca program.
- Serial numbers contain cryptographically s
10 matches
Mail list logo
