Bonjour, Le lundi 1 décembre 2014 23:29:31 UTC+1, Kathleen Wilson a écrit : [...] > * The primary documents are in English > > Document Repository: http://www.entrust.net/CPS > > CPS: > http://www.entrust.net/CPS/pdf/SSL-CPS-English-20140304-Version-2-11.pdf > > EV CPS: http://www.entrust.net/CPS/pdf/EV-SSL-CPS-English-20140304-v1-6.pdf [...] > * Test Websites > https://validg2.entrust.net/ > https://validec.entrust.net
So far, Entrust is the last of the big CAs who still uses sequential serial numbers when CABF BR and Mozilla Policy impose at least 20 bits of entropy (Microsoft requires at least 64 bits). In its January 2013 communication to CAs, Mozilla requested for a database scan of issued certificates, and checks and answers from CAs. One of the questions was about entropy in serial numbers. Entrust's answer was: "[...]Entrust will be changing the issuance to have random data in the serial number." That didn't happen. Current Mozilla CA Policy (version 2.2) adopts CABR BR 1.1.5. What is Mozilla's position about duplicate serial numbers? BR 1.2.2 added an exemption for CT, to allow pre-certs to be issued under the same CA and having the same serial number as the final certificate. Example certificate for validg2.entrust.net has been renewed on Dec 17, and the new one is CT-enabled. It's precert has been issued under the same CA as the final cert, so technically 2 certificates with the same serial number have been issued under the same CA. _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
