> On Aug 10, 2017, at 07:55, Fiedler, Arno via dev-security-policy
> <firstname.lastname@example.org> wrote:
> Hello Jonathan,
> the certificate has 64 bits of entropy in the "DNqualifier" field instead of
> the serial number field.
> Since 2012 we used this way of adding random bits to certificates to mitigate
> preimage attacks
> From a security perspective the amount of Entropy in the certificate should
> be reasonable.
> Do you see a security need for revoking the certificate?
1) The dnQualifier appears to have a 33-bit number, not a 64-bit number.
2) One of the SAN dnsNames is "www.lbv-gis.brandenburg.de/lbvagszit”, which is
3) The Baseline Requirements are extremely clear about this:
> The CA SHALL revoke a Certificate within 24 hours if one or more of the
> following occurs:
> 9. The CA is made aware that the Certificate was not issued in accordance
> with these Requirements or the CA’s Certificate Policy or Certification
> Practice Statement;
So yes, I believe this certificate needs to be revoked immediately. It should
have been revoked within 24 hours of learning about it. I believe July 20th was
the latest date that you could have learned about it, when Gerv sent a
notification to you.
dev-security-policy mailing list