On 12/19/14 2:18 PM, Bruce wrote:
On Friday, December 19, 2014 5:15:24 PM UTC-5, Bruce wrote:
On Friday, December 19, 2014 7:40:46 AM UTC-5, Erwann Abalea wrote:
So far, Entrust is the last of the big CAs who still uses sequential serial
numbers when CABF BR and Mozilla Policy impose at least 20 bits of entropy
(Microsoft requires at least 64 bits).
Entrust is in process of switching all CAs to use serial numbers with at least
20 bits of entropy. We will se this implemented in 2015. In the interim,
Entrust has implemented entropy in the validity fields to mitigate a SHA-1
collision attack.
Bruce.
Please note that our serial number implementation will meet the Microsoft
requirement of at least 64 bits.
https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/maintenance/
"9. ... all new end-entity certificates must contain at least 20 bits of
unpredictable random data (preferably in the serial number)."
So, I believe the "3-bytes of randomness in the valid to/from date
fields" is OK for now. Though, the sooner the serial number entropy is
implemented, the better.
Kathleen
_______________________________________________
dev-security-policy mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security-policy
