On 08/02/17 11:25, Jakob Bohm wrote: > My logic is that adding additional entropy to a serial number whose > length is fully controlled by CA procedures can increase the > mitigations against SHA-1 weaknesses. For example if the existing CA > setup uses all bits of the old serial number length for non-random > values, then the required 64 random bits can simply be appended or > prepended.
Requiring randomness in the serial number is only appropriate when some of the certificate contents are attacker-controlled. This is not true for an intermediate issued by a CA. And if the CA is an attacker, restricting them to a serial number of the same length (i.e. not arbitrary) makes it harder for them to engineer a collision. Gerv _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
