On 2016-04-29 09:42, Nick Lamb wrote:
I'm sure Rob can give a more technical answer, but my understanding is that crt.sh doesn't (and probably can't) detect that individual certificates have enough entropy, instead it flags certificates based on the length of the serial numbers. So it's neither sufficient nor necessary that every certificate from an issuer should pass the test in crt.sh, but it is very suspicious if many or all certificates from a particular issuer fail this test.
I think it's the output of certlint that gives that. My understanding is that it gives that warning when the serial is not long enough. If it's 56 bit instead of 64 bit, there is only a 1/256 chance that that certificate has 64 bit random bits. If all certificates only have 56 bit, the chance that it has 64 unpredictable bits approaches 0 very fast.
The current BRs talk about 20 bit entropy instead. You really need to check that over multiple certificates and can then calculate something like the Shannon entropy or min entropy.
Kurt _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
