On 08/21/2017 09:20 AM, Salz, Rich via openssl-users wrote:
But in doing this, I can't figure out if there is a risk on serial
number size for a root CA cert as there is for any other cert.
I don’t understand what attack you are concerned about, but the size of the
serial number should not matter for *any* certificate.
This whole subject is tied into the substitution attack found with using
an MD5 hash where you could change some things in the cert and still
have a valid cert. The solution, besides dropping MD5, was to include a
crypto random number in the beginning of the cert, and the serial was
chosen for this sacrifice. Thus how large does this random number have
to be to defend against this attack? is 8 octets enough or is 20 needed?
This is to make another valid cert with a different keypair. OK, I get
this for a cert signed by an issuer. But the root issuer? I don't see
the attack. Thus no need to push the root cert's serial to 20 octets.
I know I am a little cavalier in describing the attack, but that was the
basic point of why to move away from sequential serials to random and
what size (though there are other things about CAs that can be
discovered by analyzing the sequential serial numbers they used).
Meanwhile, I was wrong that -set_serial works with 'openssl ca'. The man
page was talking about in conjunction with the -CA option. With 'openssl
ca' use of the serial file is mandatory according to the man page.
There are no command line options for it.
Bob
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
