Hello Jonathan,

the certificate has 64 bits of entropy in the "DNqualifier" field instead of 
the serial number field. 

Since 2012 we used this way of adding random bits to certificates to mitigate  
preimage attacks
From a security perspective the amount of Entropy in the certificate should be 

Do you see a security need for revoking the certificate?

Viele Grüße

Arno Fiedler
Standardization & Consulting
Bundesdruckerei GmbH
Kommandantenstraße 18 · 10969 Berlin · Deutschland

Tel. :    + 49 30 25 98 - 3009
Mobil: + 49 172 3053272

arno.fied...@bdr.de · www.bundesdruckerei.de

Sitz der Gesellschaft: Berlin · Handelsregister: AG Berlin-Charlottenburg HRB 
80443. USt.-IdNr.: DE 813210005
Aufsichtsratsvorsitzender: Willi Berchtold
Geschäftsführer: Ulrich Hamann (Vorsitzender), Christian Helfrich
This message is intended only for the use of the individual or entity to which 
it is addressed, and may contain information that is privileged, confidential 
and exempt from disclosure under applicable law. If the reader of this message 
is not the intended recipient, or the employee or agent responsible for 
delivering the message to the intended recipient, we hereby give notice that 
any dissemination, distribution or copying of this communication is strictly 
prohibited. If you have received this message in error, please delete the 
message and notify us immediately.
Diese Nachricht kann vertrauliche und gesetzlich geschützte Informationen 
enthalten. Sie ist ausschließlich für den Adressaten bestimmt. Wenn Sie nicht 
der beabsichtigte Adressat sind, möchten wir Sie hiermit darüber informieren, 
dass das Weiterleiten, Verteilen oder Kopieren dieser Mail nicht gestattet ist. 
Wenn Sie diese Mail irrtümlicherweise erhalten haben, informieren Sie uns bitte 
schnellstmöglich und löschen Sie bitte die Mail.

-----Ursprüngliche Nachricht-----
Von: Jonathan Rudenberg [mailto:jonat...@titanous.com] 
Gesendet: Dienstag, 8. August 2017 19:12
An: Fiedler, Arno
Cc: mozilla-dev-security-pol...@lists.mozilla.org
Betreff: Re: Certificate issued by D-TRUST SSL Class 3 CA 1 2009 with short 

> On Aug 8, 2017, at 08:58, Fiedler, Arno via dev-security-policy 
> <dev-security-policy@lists.mozilla.org> wrote:
> Dear Mozilla Security Policy Community,
> Thanks for the advice about the short serial numbers and apologies for the 
> delayed response.
> Since 2016, all D-TRUST TLS certificates based on electronic Certificate 
> Requests have a certificate serial number which includes 64 bits of entropy.
> Between 2012 and July 6th, 2017 we produced a small number of certificates 
> with  paper-based Certificate Registration Requests using 64 bits of entropy 
> in the "DNqualifier" field instead of the serial number field.
> Since the 7th of July, 2017, all D-TRUST TLS-Certificates have 64 bits of 
> entropy in the serial number.
> I hope this helps and please do not hesitate to contact us if there are any 
> further questions.

Hi Arno,

It doesn’t look like this certificate has been revoked yet? 

Can you explain why it hasn’t been revoked yet and when it will be?


dev-security-policy mailing list

Reply via email to