On Thursday, August 10, 2017 at 11:27:53 AM UTC-5, Nick Lamb wrote: > The truth is that there is no positive test for randomness, any work in this > area is going to end up needing a judgement call, so I think inconveniencing > the CAs even a small amount with such a policy change just to make automated > testing easier isn't the right trade off. If there happens to be some future > work in this policy area and the opportunity is taken to incorporate > Jonathan's wording I have no problem with that, but I definitely don't think > Mozilla should insist on it for its own sake.
Further to the point that Nick made, merely ensuring that the serial number field is represented as at least eight bytes prior to DER encoding still does not tell you whether or not the CA truly incorporated 64 bits of randomness in the serial number versus, for example, packing together 32 bits of randomness and 32 bits of sequence number. _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
