Re: [openssl-users] Re: How to disable index and serial?
Ah. I did not understand that referenced by browser vendors meant we were talking about inclusion in their canned trust stores. Thanks, both of you. -- Mark H. Wood, Lead System Programmer mw...@iupui.edu Asking whether markets are efficient is like asking whether people are smart. pgpbxjvrsNucj.pgp Description: PGP signature
Re: [openssl-users] Re: How to disable index and serial?
On Tue, Jan 11, 2011 at 07:23:54PM +0100, Erwann ABALEA wrote: In order to be referenced by browser vendors (Opera comes to mind, and I think Mozilla will require this), the serial number MUST be random (or at least *appear* random from the outside). Oh, now I'm curious. How do they test the randomness of a single sample? 1 is every bit as random (or nonrandom) as 0xdcb4a459f014617692d112f0942c89cb. -- Mark H. Wood, Lead System Programmer mw...@iupui.edu Asking whether markets are efficient is like asking whether people are smart. pgp4K28h90CTU.pgp Description: PGP signature
Re: [openssl-users] Re: How to disable index and serial?
Hodie pr. Id. Ian. MMXI, Mark H. Wood scripsit: On Tue, Jan 11, 2011 at 07:23:54PM +0100, Erwann ABALEA wrote: In order to be referenced by browser vendors (Opera comes to mind, and I think Mozilla will require this), the serial number MUST be random (or at least *appear* random from the outside). Oh, now I'm curious. How do they test the randomness of a single sample? 1 is every bit as random (or nonrandom) as 0xdcb4a459f014617692d112f0942c89cb. That's not how it's done. When you apply for your Root CA to be referenced in a product, you supply your CP and CPS, and audit results. That's the auditor's job to ask how the serial is generated, in order to check that you really do what you say you do. Lying during the audit is of course technically possible, but it will surely be discovered one day, and you'll lose your business. -- Erwann ABALEA erwann.aba...@keynectis.com __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: [openssl-users] Re: How to disable index and serial?
On 1/12/2011 6:48 AM, Mark H. Wood wrote: Oh, now I'm curious. How do they test the randomness of a single sample? 1 is every bit as random (or nonrandom) as 0xdcb4a459f014617692d112f0942c89cb. They don't validate the number itself, they validatet hat the method by which the number was claimed to be generated meets the requirements for randomness and that the number was in fact generated by the method by which it was claimed to be generated. One way is to have an auditor present during an ISO 21188 root key ceremony. Typically, the auditor examines the videotape of the root key ceremony, the notarized log book, the signed statements of the signatory and lawyer witnesses, and if necessary, questions the signatory witnesses. DS __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: [openssl-users] Re: How to disable index and serial?
Hodie III Id. Ian. MMXI, Peter Sylvester scripsit: by using the command x509 and not ca for example. you can use a serial number based on a date seconds plus processid for example) to guarantee uniqueness. More on this. A serial number MUST be unique (by X.509 design), and SHOULD be random (best practices, to avoid attacks with non collision-resistant hash functions). In order to be referenced by browser vendors (Opera comes to mind, and I think Mozilla will require this), the serial number MUST be random (or at least *appear* random from the outside). -- Erwann ABALEA erwann.aba...@keynectis.com __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org