Deb, I agree with your analysis: I find the existing text sufficient. Conversely, I worry that specifying entropy in terms of "generating X characters from the base64url alphabet" is likely to go wrong, with people handcrafting random selection algorithms. The spec does try to allow for multiple implementations, but as an FYI what we do in Boulder is generate 32 random _bytes_ and then encode them into base64url:
https://github.com/letsencrypt/boulder/blob/c1f7de06e9f82fb6b7a599795fe7e37209733d9f/core/util.go#L62-L75 Lloyd, for general interest, this spec aimed to be compatible with the Baseline Requirements of the time (though now the direction has flipped, and the BRs normatively reference this spec). But the BRs still say: https://cabforum.org/wp-content/uploads/CA-Browser-Forum-BR-v2.0.1.pdf > Random Value: A value specified by a CA to the Applicant that exhibits at > least 112 bits of entropy. And that definition is still used in the non-ACME validation methods. _______________________________________________ Acme mailing list [email protected] https://www.ietf.org/mailman/listinfo/acme
